Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

- 800-53 (Rev. 5) Risk Management Framework - RMF Security Controls

Information security controls protect the confidentiality, integrity and/or availability of information (the so-called CIA Triad). Again, some would add further categories such as non-repudiation and accountability, depending on how narrowly or broadly the CIA Triad is defined. Individual controls are often designed to act together to increase effective protection. Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency. For example, a framework can help an organization manage controls over access regardless of the type of computer operating system. This also enables an organization to assess overall risk. Risk-aware organizations may choose proactively to specify, design, implement, operate and maintain their security controls, usually by assessing the risks and implementing a comprehensive security management framework such as ISO27001:2013, the Information Security Forum's Standard of Good Practice for Information Security, or NIST SP 800-53.
POLICY AND PROCEDURES
RMF Control
AC-1
Subject Area
ACCESS CONTROL
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
AC-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
AC-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and
AC-1c.
Review and update the current access control:
Assessment Procedures
AC-1.1 - CCI-002107
The organization defines the personnel or roles to be recipients of the access control policy necessary to facilitate the implementation of the access control policy and associated access controls.
AC-1.2 - CCI-002108
The organization defines the personnel or roles to be recipients of the procedures necessary to facilitate the implementation of the access control policy and associated access controls.
AC-1.3 - CCI-000001
The organization develops and documents an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
AC-1.4 - CCI-000002
The organization disseminates the access control policy to organization-defined personnel or roles.
AC-1.5 - CCI-000004
The organization develops and documents procedures to facilitate the implementation of the access control policy and associated access controls.
AC-1.6 - CCI-000005
The organization disseminates the procedures to facilitate access control policy and associated access controls to the organization-defined personnel or roles.
AC-1.8 - CCI-001545
The organization defines a frequency for reviewing and updating the access control policy.
AC-1.7 - CCI-000003
The organization reviews and updates the access control policy in accordance with organization-defined frequency.
AC-1.10 - CCI-001546
The organization defines a frequency for reviewing and updating the access control procedures.
AC-1.9 - CCI-000006
The organization reviews and updates the access control procedures in accordance with organization-defined frequency.
Related Controls
  1. IA-1 - Policy And Procedures
  2. PM-9 - Risk Management Strategy
  3. PM-24 - Data Integrity Board
  4. PS-8 - Personnel Sanctions
  5. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874., "IR 7874" https://doi.org/10.6028/NIST.IR.7874
  3. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  4. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  5. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
  6. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
ACCOUNT MANAGEMENT
RMF Control
AC-2
Subject Area
ACCESS CONTROL
Baseline Areas
LOW, MODERATE, HIGH
Description
Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts. Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability. Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.
Instructions
AC-2a.
Define and document the types of accounts allowed and specifically prohibited for use within the system;
AC-2b.
Assign account managers;
AC-2c.
Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;
AC-2d.
Specify:
AC-2e.
Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;
AC-2f.
Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];
AC-2g.
Monitor the use of accounts;
AC-2h.
Notify account managers and [Assignment: organization-defined personnel or roles] within:
AC-2i.
Authorize access to the system based on:
AC-2j.
Review accounts for compliance with account management requirements [Assignment: organization-defined frequency];
AC-2k.
Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and
AC-2l.
Align account management processes with personnel termination and transfer processes.
Assessment Procedures
AC-2.1 - CCI-002110
The organization defines the information system account types that support the organizational missions/business functions.
AC-2.2 - CCI-002111
The organization identifies and selects the organization-defined information system account types of information system accounts which support organizational missions/business functions.
AC-2.3 - CCI-002112
The organization assigns account managers for information system accounts.
AC-2.4 - CCI-000008
The organization establishes conditions for group membership.
AC-2.5 - CCI-002113
The organization establishes conditions for role membership.
AC-2.6 - CCI-002115
The organization specifies authorized users of the information system.
AC-2.7 - CCI-002116
The organization specifies authorized group membership on the information system.
AC-2.8 - CCI-002117
The organization specifies authorized role membership on the information system.
AC-2.9 - CCI-002118
The organization specifies access authorizations (i.e., privileges) for each account on the information system.
AC-2.10 - CCI-002119
The organization specifies other attributes for each account on the information system.
AC-2.12 - CCI-002120
The organization defines the personnel or roles authorized to approve the creation of information system accounts.
AC-2.11 - CCI-000010
The organization requires approvals by organization-defined personnel or roles for requests to create information system accounts.
AC-2.14 - CCI-002121
The organization defines the procedures or conditions to be employed when creating, enabling, modifying, disabling, and removing information system accounts.
AC-2.13 - CCI-000011
The organization creates, enables, modifies, disables, and removes information system accounts in accordance with organization-defined procedures or conditions.
AC-2.15 - CCI-002122
The organization monitors the use of information system accounts.
AC-2.16 - CCI-002123
The organization notifies account managers when accounts are no longer required.
AC-2.17 - CCI-002124
The organization notifies account managers when users are terminated or transferred.
AC-2.18 - CCI-002125
The organization notifies account managers when individual information system usage or need-to-know changes.
AC-2.19 - CCI-002126
The organization authorizes access to the information system based on a valid access authorization.
AC-2.20 - CCI-002127
The organization authorizes access to the information system based on intended system usage.
AC-2.21 - CCI-002128
The organization authorizes access to the information system based on other attributes as required by the organization or associated missions/business functions.
AC-2.22 - CCI-000012
The organization reviews information system accounts for compliance with account management requirements per organization-defined frequency.
AC-2.23 - CCI-001547
The organization defines the frequency on which it will review information system accounts for compliance with account management requirements.
AC-2.24 - CCI-002129
The organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-5 - Separation Of Duties
  3. AC-6 - Least Privilege
  4. AC-17 - Remote Access
  5. AC-18 - Wireless Access
  6. AC-20 - Use Of External Systems
  7. AC-24 - Access Control Decisions
  8. AU-2 - Event Logging
  9. AU-12 - Audit Record Generation
  10. CM-5 - Access Restrictions For Change
  11. IA-2 - Identification And Authentication (Organizational Users)
  12. IA-4 - Identifier Management
  13. IA-5 - Authenticator Management
  14. IA-8 - Identification And Authentication (Non-Organizational Users)
  15. MA-3 - Maintenance Tools
  16. MA-5 - Maintenance Personnel
  17. PE-2 - Physical Access Authorizations
  18. PL-4 - Rules Of Behavior
  19. PS-2 - Position Risk Designation
  20. PS-4 - Personnel Termination
  21. PS-5 - Personnel Transfer
  22. PS-7 - External Personnel Security
  23. PT-2 - Authority To Process Personally Identifiable Information
  24. PT-3 - Personally Identifiable Information Processing Purposes
  25. SC-7 - Boundary Protection
  26. SC-12 - Cryptographic Key Establishment And Management
  27. SC-13 - Cryptographic Protection
  28. SC-37 - Out-Of-Band Channels
References
  1. Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178., "SP 800-178" https://doi.org/10.6028/NIST.SP.800-178
  2. Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019., "SP 800-162" https://doi.org/10.6028/NIST.SP.800-162
  3. Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192., "SP 800-192" https://doi.org/10.6028/NIST.SP.800-192
Enhancements
AC-2(1) - Automated System Account Management
Support the management of system accounts using [Assignment: organization-defined automated mechanisms].
AC-2(2) - Automated Temporary And Emergency Account Management
Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].
AC-2(3) - Disable Accounts
Disable accounts within [Assignment: organization-defined time period] when the accounts:
AC-2(4) - Automated Audit Actions
Automatically audit account creation, modification, enabling, disabling, and removal actions.
AC-2(5) - Inactivity Logout
Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out].
AC-2(6) - Dynamic Privilege Management
Implement [Assignment: organization-defined dynamic privilege management capabilities].
AC-2(7) - Privileged User Accounts
AC-2(8) - Dynamic Account Management
Create, activate, manage, and deactivate [Assignment: organization-defined system accounts] dynamically.
AC-2(9) - Restrictions On Use Of Shared And Group Accounts
Only permit the use of shared and group accounts that meet [Assignment: organization-defined conditions for establishing shared and group accounts].
AC-2(10) - Shared And Group Account Credential Change
[Withdrawn: Incorporated into AC-2].
AC-2(11) - Usage Conditions
Enforce [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined system accounts].
AC-2(12) - Account Monitoring For Atypical Usage
AC-2(13) - Disable Accounts For High-Risk Individuals
Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment: organization-defined significant risks].
ACCESS ENFORCEMENT
RMF Control
AC-3
Subject Area
ACCESS CONTROL
Baseline Areas
LOW, MODERATE, HIGH
Description
Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family.
Instructions
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Assessment Procedures
AC-3.1 - CCI-000213
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Related Controls
  1. AC-2 - Account Management
  2. AC-4 - Information Flow Enforcement
  3. AC-5 - Separation Of Duties
  4. AC-6 - Least Privilege
  5. AC-16 - Security And Privacy Attributes
  6. AC-17 - Remote Access
  7. AC-18 - Wireless Access
  8. AC-19 - Access Control For Mobile Devices
  9. AC-20 - Use Of External Systems
  10. AC-21 - Information Sharing
  11. AC-22 - Publicly Accessible Content
  12. AC-24 - Access Control Decisions
  13. AC-25 - Reference Monitor
  14. AT-2 - Literacy Training And Awareness
  15. AT-3 - Role-Based Training
  16. AU-9 - Protection Of Audit Information
  17. CA-9 - Internal System Connections
  18. CM-5 - Access Restrictions For Change
  19. CM-11 - User-Installed Software
  20. IA-2 - Identification And Authentication (Organizational Users)
  21. IA-5 - Authenticator Management
  22. IA-6 - Authentication Feedback
  23. IA-7 - Cryptographic Module Authentication
  24. IA-11 - Re-Authentication
  25. MA-3 - Maintenance Tools
  26. MA-4 - Nonlocal Maintenance
  27. MA-5 - Maintenance Personnel
  28. MP-4 - Media Storage
  29. PM-2 - Information Security Program Leadership Role
  30. PS-3 - Personnel Screening
  31. PT-2 - Authority To Process Personally Identifiable Information
  32. PT-3 - Personally Identifiable Information Processing Purposes
  33. SA-17 - Developer Security And Privacy Architecture And Design
  34. SC-2 - Separation Of System And User Functionality
  35. SC-3 - Security Function Isolation
  36. SC-4 - Information In Shared System Resources
  37. SC-12 - Cryptographic Key Establishment And Management
  38. SC-13 - Cryptographic Protection
  39. SC-28 - Protection Of Information At Rest
  40. SC-31 - Covert Channel Analysis
  41. SC-34 - Non-Modifiable Executable Programs
  42. SI-4 - System Monitoring
  43. SI-8 - Spam Protection
References
  1. Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5., "SP 800-57-1" https://doi.org/10.6028/NIST.SP.800-57pt1r5
  2. Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1., "SP 800-57-2" https://doi.org/10.6028/NIST.SP.800-57pt2r1
  3. Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1., "SP 800-57-3" https://doi.org/10.6028/NIST.SP.800-57pt3r1
  4. Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178., "SP 800-178" https://doi.org/10.6028/NIST.SP.800-178
  5. Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019., "SP 800-162" https://doi.org/10.6028/NIST.SP.800-162
  6. Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874., "IR 7874" https://doi.org/10.6028/NIST.IR.7874
  7. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  8. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
Enhancements
AC-3(1) - Restricted Access To Privileged Functions
[Withdrawn: Incorporated into AC-6].
AC-3(2) - Dual Authorization
Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].
AC-3(3) - Mandatory Access Control
Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy:
AC-3(4) - Discretionary Access Control
Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:
AC-3(5) - Security-Relevant Information
Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states.
AC-3(6) - Protection Of User And System Information
[Withdrawn: Incorporated into MP-4, SC-28].
AC-3(7) - Role-Based Access Control
Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles].
AC-3(8) - Revocation Of Access Authorizations
Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].
AC-3(9) - Controlled Release
Release information outside of the system only if:
AC-3(10) - Audited Override Of Access Control Mechanisms
Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].
AC-3(11) - Restrict Access To Specific Information Types
Restrict access to data repositories containing [Assignment: organization-defined information types].
AC-3(12) - Assert And Enforce Application Access
AC-3(13) - Attribute-Based Access Control
Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions].
AC-3(14) - Individual Access
Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements].
AC-3(15) - Discretionary And Mandatory Access Control
INFORMATION FLOW ENFORCEMENT
RMF Control
AC-4
Subject Area
ACCESS CONTROL
Baseline Areas
MODERATE, HIGH
Description
Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS).
Instructions
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].
Assessment Procedures
AC-4.1 - CCI-001368
The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.
AC-4.2 - CCI-001414
The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
AC-4.3 - CCI-001548
The organization defines the information flow control policies for controlling the flow of information within the system.
AC-4.4 - CCI-001549
The organization defines the information flow control policies for controlling the flow of information between interconnected systems.
AC-4.5 - CCI-001550
The organization defines approved authorizations for controlling the flow of information within the system.
AC-4.6 - CCI-001551
The organization defines approved authorizations for controlling the flow of information between interconnected systems.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-6 - Least Privilege
  3. AC-16 - Security And Privacy Attributes
  4. AC-17 - Remote Access
  5. AC-19 - Access Control For Mobile Devices
  6. AC-21 - Information Sharing
  7. AU-10 - Non-Repudiation
  8. CA-3 - Information Exchange
  9. CA-9 - Internal System Connections
  10. CM-7 - Least Functionality
  11. PL-9 - Central Management
  12. PM-24 - Data Integrity Board
  13. SA-17 - Developer Security And Privacy Architecture And Design
  14. SC-4 - Information In Shared System Resources
  15. SC-7 - Boundary Protection
  16. SC-16 - Transmission Of Security And Privacy Attributes
  17. SC-31 - Covert Channel Analysis
References
  1. Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178., "SP 800-178" https://doi.org/10.6028/NIST.SP.800-178
  2. Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112., "IR 8112" https://doi.org/10.6028/NIST.IR.8112
  3. Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019., "SP 800-162" https://doi.org/10.6028/NIST.SP.800-162
  4. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
Enhancements
AC-4(1) - Object Security And Privacy Attributes
Use [Assignment: organization-defined security and privacy attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
AC-4(2) - Processing Domains
Use protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
AC-4(3) - Dynamic Information Flow Control
Enforce [Assignment: organization-defined information flow control policies].
AC-4(4) - Flow Control Of Encrypted Information
Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]].
AC-4(5) - Embedded Data Types
Enforce [Assignment: organization-defined limitations] on embedding data types within other data types.
AC-4(6) - Metadata
Enforce information flow control based on [Assignment: organization-defined metadata].
AC-4(7) - One-Way Flow Mechanisms
Enforce one-way information flows through hardware-based flow control mechanisms.
AC-4(8) - Security And Privacy Policy Filters
AC-4(9) - Human Reviews
Enforce the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions].
AC-4(10) - Enable And Disable Security Or Privacy Policy Filters
Provide the capability for privileged administrators to enable and disable [Assignment: organization-defined security or privacy policy filters] under the following conditions: [Assignment: organization-defined conditions].
AC-4(11) - Configuration Of Security Or Privacy Policy Filters
Provide the capability for privileged administrators to configure [Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies.
AC-4(12) - Data Type Identifiers
When transferring information between different security domains, use [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions.
AC-4(13) - Decomposition Into Policy-Relevant Subcomponents
When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms.
AC-4(14) - Security Or Privacy Policy Filter Constraints
When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content.
AC-4(15) - Detection Of Unsanctioned Information
When transferring information between different security domains, examine the information for the presence of [Assignment: organization-defined unsanctioned information] and prohibit the transfer of such information in accordance with the [Assignment: organization-defined security or privacy policy].
AC-4(16) - Information Transfers On Interconnected Systems
[Withdrawn: Incorporated into AC-4].
AC-4(17) - Domain Authentication
Uniquely identify and authenticate source and destination points by [Selection (one or more): organization; system; application; service; individual] for information transfer.
AC-4(18) - Security Attribute Binding
[Withdrawn: Incorporated into AC-16].
AC-4(19) - Validation Of Metadata
When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata.
AC-4(20) - Approved Solutions
Employ [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains.
AC-4(21) - Physical Or Logical Separation Of Information Flows
Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].
AC-4(22) - Access Only
Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains.
AC-4(23) - Modify Non-Releasable Information
When transferring information between different security domains, modify non-releasable information by implementing [Assignment: organization-defined modification action].
AC-4(24) - Internal Normalized Format
When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification.
AC-4(25) - Data Sanitization
When transferring information between different security domains, sanitize data to minimize [Selection (one or more): delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data; spillage of sensitive information] in accordance with [Assignment: organization-defined policy].
AC-4(26) - Audit Filtering Actions
When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.
AC-4(27) - Redundant/Independent Filtering Mechanisms
When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.
AC-4(28) - Linear Filter Pipelines
When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.
AC-4(29) - Filter Orchestration Engines
When transferring information between different security domains, employ content filter orchestration engines to ensure that:
AC-4(30) - Filter Mechanisms Using Multiple Processes
When transferring information between different security domains, implement content filtering mechanisms using multiple processes.
AC-4(31) - Failed Content Transfer Prevention
When transferring information between different security domains, prevent the transfer of failed content to the receiving domain.
AC-4(32) - Process Requirements For Information Transfer
When transferring information between different security domains, the process that transfers information between filter pipelines:
SEPARATION OF DUTIES
RMF Control
AC-5
Subject Area
ACCESS CONTROL
Baseline Areas
MODERATE, HIGH
Description
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in AC-2, access control mechanisms in AC-3, and identity management activities in IA-2, IA-4, and IA-12.
Instructions
AC-5a.
Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and
AC-5b.
Define system access authorizations to support separation of duties.
Assessment Procedures
AC-5.2 - CCI-002219
The organization defines the duties of individuals that are to be separated.
AC-5.1 - CCI-000036
The organization separates organization-defined duties of individuals.
AC-5.3 - CCI-001380
The organization documents separation of duties of individuals.
AC-5.4 - CCI-002220
The organization defines information system access authorizations to support separation of duties.
Related Controls
  1. AC-2 - Account Management
  2. AC-3 - Access Enforcement
  3. AC-6 - Least Privilege
  4. AU-9 - Protection Of Audit Information
  5. CM-5 - Access Restrictions For Change
  6. CM-11 - User-Installed Software
  7. CP-9 - System Backup
  8. IA-2 - Identification And Authentication (Organizational Users)
  9. IA-4 - Identifier Management
  10. IA-5 - Authenticator Management
  11. IA-12 - Identity Proofing
  12. MA-3 - Maintenance Tools
  13. MA-5 - Maintenance Personnel
  14. PS-2 - Position Risk Designation
  15. SA-8 - Security And Privacy Engineering Principles
  16. SA-17 - Developer Security And Privacy Architecture And Design
References
Enhancements
LEAST PRIVILEGE
RMF Control
AC-6
Subject Area
ACCESS CONTROL
Baseline Areas
MODERATE, HIGH
Description
Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.
Instructions
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
Assessment Procedures
AC-6.1 - CCI-000225
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
Related Controls
  1. AC-2 - Account Management
  2. AC-3 - Access Enforcement
  3. AC-5 - Separation Of Duties
  4. AC-16 - Security And Privacy Attributes
  5. CM-5 - Access Restrictions For Change
  6. CM-11 - User-Installed Software
  7. PL-2 - System Security And Privacy Plans
  8. PM-12 - Insider Threat Program
  9. SA-8 - Security And Privacy Engineering Principles
  10. SA-15 - Development Process, Standards, And Tools
  11. SA-17 - Developer Security And Privacy Architecture And Design
  12. SC-38 - Operations Security
References
Enhancements
AC-6(1) - Authorize Access To Security Functions
Authorize access for [Assignment: organization-defined individuals or roles] to:
AC-6(2) - Non-Privileged Access For Nonsecurity Functions
Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions.
AC-6(3) - Network Access To Privileged Commands
Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system.
AC-6(4) - Separate Processing Domains
Provide separate processing domains to enable finer-grained allocation of user privileges.
AC-6(5) - Privileged Accounts
Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles].
AC-6(6) - Privileged Access By Non-Organizational Users
Prohibit privileged access to the system by non-organizational users.
AC-6(7) - Review Of User Privileges
AC-6(8) - Privilege Levels For Code Execution
Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software].
AC-6(9) - Log Use Of Privileged Functions
Log the execution of privileged functions.
AC-6(10) - Prohibit Non-Privileged Users From Executing Privileged Functions
Prevent non-privileged users from executing privileged functions.
UNSUCCESSFUL LOGON ATTEMPTS
RMF Control
AC-7
Subject Area
ACCESS CONTROL
Baseline Areas
LOW, MODERATE, HIGH
Description
The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.
Instructions
AC-7a.
Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
AC-7b.
Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other [Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded.
Assessment Procedures
AC-7.1 - CCI-000043
The organization defines the maximum number of consecutive invalid logon attempts to the information system by a user during an organization-defined time period.
AC-7.2 - CCI-000044
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.
AC-7.3 - CCI-001423
The organization defines the time period in which the organization-defined maximum number of consecutive invalid logon attempts occur.
AC-7.4 - CCI-002236
The organization defines the time period the information system will automatically lock the account or node when the maximum number of unsuccessful attempts is exceeded.
AC-7.5 - CCI-002237
The organization defines the delay algorithm to be employed by the information system to delay the next login prompt when the maximum number of unsuccessful attempts is exceeded.
AC-7.6 - CCI-002238
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next login prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful attempts is exceeded.
Related Controls
  1. AC-2 - Account Management
  2. AC-9 - Previous Logon Notification
  3. AU-2 - Event Logging
  4. AU-6 - Audit Record Review, Analysis, And Reporting
  5. IA-5 - Authenticator Management
References
  1. Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020., "SP 800-63-3" https://doi.org/10.6028/NIST.SP.800-63-3
  2. Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1., "SP 800-124" https://doi.org/10.6028/NIST.SP.800-124r1
Enhancements
AC-7(1) - Automatic Account Lock
[Withdrawn: Incorporated into AC-7].
AC-7(2) - Purge Or Wipe Mobile Device
Purge or wipe information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging or wiping requirements and techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts.
AC-7(3) - Biometric Attempt Limiting
Limit the number of unsuccessful biometric logon attempts to [Assignment: organization-defined number].
AC-7(4) - Use Of Alternate Authentication Factor
SYSTEM USE NOTIFICATION
RMF Control
AC-8
Subject Area
ACCESS CONTROL
Baseline Areas
LOW, MODERATE, HIGH
Description
System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content.
Instructions
AC-8a.
Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:
AC-8b.
Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and
AC-8c.
For publicly accessible systems:
Assessment Procedures
AC-8.2 - CCI-002247
The organization defines the use notification message or banner the information system displays to users before granting access to the system.
AC-8.1 - CCI-000048
The information system displays an organization-defined system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
AC-8.3 - CCI-002243
The organization-defined information system use notification message or banner is to state that users are accessing a U.S. Government information system.
AC-8.4 - CCI-002244
The organization-defined information system use notification message or banner is to state that information system usage may be monitored, recorded, and subject to audit.
AC-8.5 - CCI-002245
The organization-defined information system use notification message or banner is to state that unauthorized use of the information system is prohibited and subject to criminal and civil penalties.
AC-8.6 - CCI-002246
The organization-defined information system use notification message or banner is to state that use of the information system indicates consent to monitoring and recording.
AC-8.7 - CCI-000050
The information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access.
AC-8.8 - CCI-001384
The information system, for publicly accessible systems, displays system use information organization-defined conditions before granting further access.
AC-8.10 - CCI-001385
The information system, for publicly accessible systems, displays references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities.
AC-8.11 - CCI-001386
The information system for publicly accessible systems displays references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities.
AC-8.12 - CCI-001387
The information system for publicly accessible systems displays references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities.
AC-8.13 - CCI-001388
The information system, for publicly accessible systems, includes a description of the authorized uses of the system.
AC-8.9 - CCI-002248
The organization defines the conditions of use which are to be displayed to users of the information system before granting further access.
Related Controls
  1. AC-14 - Permitted Actions Without Identification Or Authentication
  2. PL-4 - Rules Of Behavior
  3. SI-4 - System Monitoring
References
Enhancements
PREVIOUS LOGON NOTIFICATION
RMF Control
AC-9
Subject Area
ACCESS CONTROL
Baseline Areas
NOT SELECTED
Description
Previous logon notification is applicable to system access via human user interfaces and access to systems that occurs in other types of architectures. Information about the last successful logon allows the user to recognize if the date and time provided is not consistent with the user’s last access.
Instructions
Notify the user, upon successful logon to the system, of the date and time of the last logon.
Assessment Procedures
AC-9.1 - CCI-000052
The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access).
Related Controls
  1. AC-7 - Unsuccessful Logon Attempts
  2. PL-4 - Rules Of Behavior
References
Enhancements
AC-9(1) - Unsuccessful Logons
Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.
AC-9(2) - Successful And Unsuccessful Logons
Notify the user, upon successful logon, of the number of [Selection: successful logons; unsuccessful logon attempts; both] during [Assignment: organization-defined time period].
AC-9(3) - Notification Of Account Changes
Notify the user, upon successful logon, of changes to [Assignment: organization-defined security-related characteristics or parameters of the user’s account] during [Assignment: organization-defined time period].
AC-9(4) - Additional Logon Information
Notify the user, upon successful logon, of the following additional information: [Assignment: organization-defined additional information].
CONCURRENT SESSION CONTROL
RMF Control
AC-10
Subject Area
ACCESS CONTROL
Baseline Areas
HIGH
Description
Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts.
Instructions
Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].
Assessment Procedures
AC-10.1 - CCI-000054
The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions.
AC-10.2 - CCI-000055
The organization defines the maximum number of concurrent sessions to be allowed for each organization-defined account and/or account type.
AC-10.3 - CCI-002252
The organization defines the accounts for which the information system will limit the number of concurrent sessions.
Related Controls
  1. SC-23 - Session Authenticity
References
Enhancements
DEVICE LOCK
RMF Control
AC-11
Subject Area
ACCESS CONTROL
Baseline Areas
MODERATE, HIGH
Description
Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays.
Instructions
AC-11a.
Prevent further access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and
AC-11b.
Retain the device lock until the user reestablishes access using established identification and authentication procedures.
Assessment Procedures
AC-11.3 - CCI-000059
The organization defines the time period of inactivity after which the information system initiates a session lock.
AC-11.2 - CCI-000058
The information system provides the capability for users to directly initiate session lock mechanisms.
AC-11.4 - CCI-000056
The information system retains the session lock until the user reestablishes access using established identification and authentication procedures.
Related Controls
  1. AC-2 - Account Management
  2. AC-7 - Unsuccessful Logon Attempts
  3. IA-11 - Re-Authentication
  4. PL-4 - Rules Of Behavior
References
Enhancements
AC-11(1) - Pattern-Hiding Displays
Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
SESSION TERMINATION
RMF Control
AC-12
Subject Area
ACCESS CONTROL
Baseline Areas
MODERATE, HIGH
Description
Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10, which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.
Instructions
Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].
Assessment Procedures
AC-12.1 - CCI-002360
The organization defines the conditions or trigger events requiring session disconnect to be employed by the information system when automatically terminating a user session.
AC-12.2 - CCI-002361
The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.
Related Controls
  1. MA-4 - Nonlocal Maintenance
  2. SC-10 - Network Disconnect
  3. SC-23 - Session Authenticity
References
Enhancements
AC-12(1) - User-Initiated Logouts
Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources].
AC-12(2) - Termination Message
Display an explicit logout message to users indicating the termination of authenticated communications sessions.
AC-12(3) - Timeout Warning Message
Display an explicit message to users indicating that the session will end in [Assignment: organization-defined time until end of session].
SUPERVISION AND REVIEW — ACCESS CONTROL
RMF Control
AC-13
Subject Area
ACCESS CONTROL
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into AC-2, AU-6].
Assessment Procedures
Related Controls
References
Enhancements
PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION
RMF Control
AC-14
Subject Area
ACCESS CONTROL
Baseline Areas
LOW, MODERATE, HIGH
Description
Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be none.
Instructions
AC-14a.
Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and
AC-14b.
Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.
Assessment Procedures
AC-14.1 - CCI-000061
The organization identifies and defines organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions.
AC-14.2 - CCI-000232
The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification and authentication.
Related Controls
  1. AC-8 - System Use Notification
  2. IA-2 - Identification And Authentication (Organizational Users)
  3. PL-2 - System Security And Privacy Plans
References
Enhancements
AC-14(1) - Necessary Uses
[Withdrawn: Incorporated into AC-14].
AUTOMATED MARKING
RMF Control
AC-15
Subject Area
ACCESS CONTROL
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into MP-3].
Assessment Procedures
Related Controls
References
Enhancements
SECURITY AND PRIVACY ATTRIBUTES
RMF Control
AC-16
Subject Area
ACCESS CONTROL
Baseline Areas
NOT SELECTED
Description
Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures, such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions that represent the basic properties or characteristics of active and passive entities with respect to safeguarding information. Privacy attributes, which may be used independently or in conjunction with security attributes, represent the basic properties or characteristics of active or passive entities with respect to the management of personally identifiable information. Attributes can be either explicitly or implicitly associated with the information contained in organizational systems or system components. Attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, cause information to flow among objects, or change the system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of attributes to subjects and objects by a system is referred to as binding and is inclusive of setting the attribute value and the attribute type. Attributes, when bound to data or information, permit the enforcement of security and privacy policies for access control and information flow control, including data retention limits, permitted uses of personally identifiable information, and identification of personal information within data objects. Such enforcement occurs through organizational processes or system functions or mechanisms. The binding techniques implemented by systems affect the strength of attribute binding to information. Binding strength and the assurance associated with binding techniques play important parts in the trust that organizations have in the information flow enforcement process. The binding techniques affect the number and degree of additional reviews required by organizations. The content or assigned values of attributes can directly affect the ability of individuals to access organizational information. Organizations can define the types of attributes needed for systems to support missions or business functions. There are many values that can be assigned to a security attribute. By specifying the permitted attribute ranges and values, organizations ensure that attribute values are meaningful and relevant. Labeling refers to the association of attributes with the subjects and objects represented by the internal data structures within systems. This facilitates system-based enforcement of information security and privacy policies. Labels include classification of information in accordance with legal and compliance requirements (e.g., top secret, secret, confidential, controlled unclassified), information impact level; high value asset information, access authorizations, nationality; data life cycle protection (i.e., encryption and data expiration), personally identifiable information processing permissions, including individual consent to personally identifiable information processing, and contractor affiliation. A related term to labeling is marking. Marking refers to the association of attributes with objects in a human-readable form and displayed on system media. Marking enables manual, procedural, or process-based enforcement of information security and privacy policies. Security and privacy labels may have the same value as media markings (e.g., top secret, secret, confidential). See MP-3 (Media Marking).
Instructions
AC-16a.
Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission;
AC-16b.
Ensure that the attribute associations are made and retained with the information;
AC-16c.
Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes];
AC-16d.
Determine the following permitted attribute values or ranges for each of the established attributes: [Assignment: organization-defined attribute values or ranges for established attributes];
AC-16e.
Audit changes to attributes; and
AC-16f.
Review [Assignment: organization-defined security and privacy attributes] for applicability [Assignment: organization-defined frequency].
Assessment Procedures
AC-16.1 - CCI-002256
The organization defines security attributes having organization-defined types of security attribute values which are associated with information in storage.
AC-16.2 - CCI-002257
The organization defines security attributes having organization-defined types of security attribute values which are associated with information in process.
AC-16.3 - CCI-002258
The organization defines security attributes, having organization-defined types of security attribute values, which are associated with information in transmission.
AC-16.4 - CCI-002259
The organization defines security attribute values associated with organization-defined types of security attributes for information in storage.
AC-16.5 - CCI-002260
The organization defines security attribute values associated with organization-defined types of security attributes for information in process.
AC-16.6 - CCI-002261
The organization defines security attribute values associated with organization-defined types of security attributes for information in transmission.
AC-16.7 - CCI-002262
The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.
AC-16.8 - CCI-002263
The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in process.
AC-16.9 - CCI-002264
The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission.
AC-16.10 - CCI-002265
The organization ensures that the security attribute associations are made with the information.
AC-16.11 - CCI-002266
The organization ensures that the security attribute associations are retained with the information.
AC-16.12 - CCI-002267
The organization defines the security attributes that are permitted for organization-defined information systems.
AC-16.13 - CCI-002268
The organization defines the information systems for which permitted organization-defined attributes are to be established.
AC-16.14 - CCI-002269
The organization establishes the permitted organization-defined security attributes for organization-defined information systems.
AC-16.15 - CCI-002270
The organization defines the values or ranges permitted for each of the established security attributes.
AC-16.16 - CCI-002271
The organization determines the permitted organization-defined values or ranges for each of the established security attributes.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-4 - Information Flow Enforcement
  3. AC-6 - Least Privilege
  4. AC-21 - Information Sharing
  5. AC-25 - Reference Monitor
  6. AU-2 - Event Logging
  7. AU-10 - Non-Repudiation
  8. MP-3 - Media Marking
  9. PE-22 - Component Marking
  10. PT-2 - Authority To Process Personally Identifiable Information
  11. PT-3 - Personally Identifiable Information Processing Purposes
  12. PT-4 - Consent
  13. SC-11 - Trusted Path
  14. SC-16 - Transmission Of Security And Privacy Attributes
  15. SI-12 - Information Management And Retention
  16. SI-18 - Personally Identifiable Information Quality Operations
References
  1. Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178., "SP 800-178" https://doi.org/10.6028/NIST.SP.800-178
  2. Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019., "SP 800-162" https://doi.org/10.6028/NIST.SP.800-162
  3. National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4., "FIPS 186-4" https://doi.org/10.6028/NIST.FIPS.186-4
  4. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
  5. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
AC-16(1) - Dynamic Attribute Association
Dynamically associate security and privacy attributes with [Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: [Assignment: organization-defined security and privacy policies].
AC-16(2) - Attribute Value Changes By Authorized Individuals
Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes.
AC-16(3) - Maintenance Of Attribute Associations By System
Maintain the association and integrity of [Assignment: organization-defined security and privacy attributes] to [Assignment: organization-defined subjects and objects].
AC-16(4) - Association Of Attributes By Authorized Individuals
Provide the capability to associate [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals).
AC-16(5) - Attribute Displays On Objects To Be Output
Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-defined special dissemination, handling, or distribution instructions] using [Assignment: organization-defined human-readable, standard naming conventions].
AC-16(6) - Maintenance Of Attribute Association
Require personnel to associate and maintain the association of [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security and privacy policies].
AC-16(7) - Consistent Attribute Interpretation
Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components.
AC-16(8) - Association Techniques And Technologies
Implement [Assignment: organization-defined techniques and technologies] in associating security and privacy attributes to information.
AC-16(9) - Attribute Reassignment — Regrading Mechanisms
Change security and privacy attributes associated with information only via regrading mechanisms validated using [Assignment: organization-defined techniques or procedures].
AC-16(10) - Attribute Configuration By Authorized Individuals
Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects.
REMOTE ACCESS
RMF Control
AC-17
Subject Area
ACCESS CONTROL
Baseline Areas
LOW, MODERATE, HIGH
Description
Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3. Enforcing access restrictions for remote access is addressed via AC-3.
Instructions
AC-17a.
Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
AC-17b.
Authorize each type of remote access to the system prior to allowing such connections.
Assessment Procedures
AC-17.1 - CCI-000063
The organization defines allowed methods of remote access to the information system.
AC-17.2 - CCI-002310
The organization establishes and documents usage restrictions for each type of remote access allowed.
AC-17.3 - CCI-002311
The organization establishes and documents configuration/connection requirements for each type of remote access allowed.
AC-17.4 - CCI-002312
The organization establishes and documents implementation guidance for each type of remote access allowed.
AC-17.5 - CCI-000065
The organization authorizes remote access to the information system prior to allowing such connections.
Related Controls
  1. AC-2 - Account Management
  2. AC-3 - Access Enforcement
  3. AC-4 - Information Flow Enforcement
  4. AC-18 - Wireless Access
  5. AC-19 - Access Control For Mobile Devices
  6. AC-20 - Use Of External Systems
  7. CA-3 - Information Exchange
  8. CM-10 - Software Usage Restrictions
  9. IA-2 - Identification And Authentication (Organizational Users)
  10. IA-3 - Device Identification And Authentication
  11. IA-8 - Identification And Authentication (Non-Organizational Users)
  12. MA-4 - Nonlocal Maintenance
  13. PE-17 - Alternate Work Site
  14. PL-2 - System Security And Privacy Plans
  15. PL-4 - Rules Of Behavior
  16. SC-10 - Network Disconnect
  17. SC-12 - Cryptographic Key Establishment And Management
  18. SC-13 - Cryptographic Protection
  19. SI-4 - System Monitoring
References
  1. Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1., "SP 800-77" https://doi.org/10.6028/NIST.SP.800-77r1
  2. Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113., "SP 800-113" https://doi.org/10.6028/NIST.SP.800-113
  3. Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2., "SP 800-121" https://doi.org/10.6028/NIST.SP.800-121r2
  4. Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2., "SP 800-46" https://doi.org/10.6028/NIST.SP.800-46r2
  5. Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1., "SP 800-114" https://doi.org/10.6028/NIST.SP.800-114r1
  6. Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966., "IR 7966" https://doi.org/10.6028/NIST.IR.7966
Enhancements
AC-17(1) - Monitoring And Control
Employ automated mechanisms to monitor and control remote access methods.
AC-17(2) - Protection Of Confidentiality And Integrity Using Encryption
Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
AC-17(3) - Managed Access Control Points
Route remote accesses through authorized and managed network access control points.
AC-17(4) - Privileged Commands And Access
AC-17(5) - Monitoring For Unauthorized Connections
[Withdrawn: Incorporated into SI-4].
AC-17(6) - Protection Of Mechanism Information
Protect information about remote access mechanisms from unauthorized use and disclosure.
AC-17(7) - Additional Protection For Security Function Access
[Withdrawn: Incorporated into AC-3(10)].
AC-17(8) - Disable Nonsecure Network Protocols
[Withdrawn: Incorporated into CM-7].
AC-17(9) - Disconnect Or Disable Access
Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period].
AC-17(10) - Authenticate Remote Commands
Implement [Assignment: organization-defined mechanisms] to authenticate [Assignment: organization-defined remote commands].
WIRELESS ACCESS
RMF Control
AC-18
Subject Area
ACCESS CONTROL
Baseline Areas
LOW, MODERATE, HIGH
Description
Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication.
Instructions
AC-18a.
Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and
AC-18b.
Authorize each type of wireless access to the system prior to allowing such connections.
Assessment Procedures
AC-18.1 - CCI-001438
The organization establishes usage restrictions for wireless access.
AC-18.3 - CCI-002323
The organization establishes configuration/connection requirements for wireless access.
AC-18.2 - CCI-001439
The organization establishes implementation guidance for wireless access.
AC-18.4 - CCI-001441
The organization authorizes wireless access to the information system prior to allowing such connections.
Related Controls
  1. AC-2 - Account Management
  2. AC-3 - Access Enforcement
  3. AC-17 - Remote Access
  4. AC-19 - Access Control For Mobile Devices
  5. CA-9 - Internal System Connections
  6. CM-7 - Least Functionality
  7. IA-2 - Identification And Authentication (Organizational Users)
  8. IA-3 - Device Identification And Authentication
  9. IA-8 - Identification And Authentication (Non-Organizational Users)
  10. PL-4 - Rules Of Behavior
  11. SC-40 - Wireless Link Protection
  12. SC-43 - Usage Restrictions
  13. SI-4 - System Monitoring
References
  1. Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97., "SP 800-97" https://doi.org/10.6028/NIST.SP.800-97
  2. Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94., "SP 800-94" https://doi.org/10.6028/NIST.SP.800-94
Enhancements
AC-18(1) - Authentication And Encryption
Protect wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption.
AC-18(2) - Monitoring Unauthorized Connections
[Withdrawn: Incorporated into SI-4].
AC-18(3) - Disable Wireless Networking
Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.
AC-18(4) - Restrict Configurations By Users
Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.
AC-18(5) - Antennas And Transmission Power Levels
Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.
ACCESS CONTROL FOR MOBILE DEVICES
RMF Control
AC-19
Subject Area
ACCESS CONTROL
Baseline Areas
LOW, MODERATE, HIGH
Description
A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems. Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware. Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in AC-19. Many safeguards for mobile devices are reflected in other controls. AC-20 addresses mobile devices that are not organization-controlled.
Instructions
AC-19a.
Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and
AC-19b.
Authorize the connection of mobile devices to organizational systems.
Assessment Procedures
AC-19.1 - CCI-000082
The organization establishes usage restrictions for organization controlled mobile devices.
AC-19.3 - CCI-002325
The organization establishes configuration requirements for organization controlled mobile devices.
AC-19.4 - CCI-002326
The organization establishes connection requirements for organization controlled mobile devices.
AC-19.2 - CCI-000083
The organization establishes implementation guidance for organization controlled mobile devices.
AC-19.5 - CCI-000084
The organization authorizes connection of mobile devices to organizational information systems.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-4 - Information Flow Enforcement
  3. AC-7 - Unsuccessful Logon Attempts
  4. AC-11 - Device Lock
  5. AC-17 - Remote Access
  6. AC-18 - Wireless Access
  7. AC-20 - Use Of External Systems
  8. CA-9 - Internal System Connections
  9. CM-2 - Baseline Configuration
  10. CM-6 - Configuration Settings
  11. IA-2 - Identification And Authentication (Organizational Users)
  12. IA-3 - Device Identification And Authentication
  13. MP-2 - Media Access
  14. MP-4 - Media Storage
  15. MP-5 - Media Transport
  16. MP-7 - Media Use
  17. PL-4 - Rules Of Behavior
  18. SC-7 - Boundary Protection
  19. SC-34 - Non-Modifiable Executable Programs
  20. SC-43 - Usage Restrictions
  21. SI-3 - Malicious Code Protection
  22. SI-4 - System Monitoring
References
  1. Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1., "SP 800-124" https://doi.org/10.6028/NIST.SP.800-124r1
  2. Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1., "SP 800-114" https://doi.org/10.6028/NIST.SP.800-114r1
Enhancements
AC-19(1) - Use Of Writable And Portable Storage Devices
[Withdrawn: Incorporated into MP-7].
AC-19(2) - Use Of Personally Owned Portable Storage Devices
[Withdrawn: Incorporated into MP-7].
AC-19(3) - Use Of Portable Storage Devices With No Identifiable Owner
[Withdrawn: Incorporated into MP-7].
AC-19(4) - Restrictions For Classified Information
AC-19(5) - Full Device Or Container-Based Encryption
Employ [Selection: full-device encryption; container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].
USE OF EXTERNAL SYSTEMS
RMF Control
AC-20
Subject Area
ACCESS CONTROL
Baseline Areas
LOW, MODERATE, HIGH
Description
External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems). For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. External systems used to access public interfaces to organizational systems are outside the scope of AC-20. Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.
Instructions
AC-20a.
[Selection (one or more): Establish [Assignment: organization-defined terms and conditions]; Identify [Assignment: organization-defined controls asserted to be implemented on external systems]], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:
AC-20b.
Prohibit the use of [Assignment: organizationally-defined types of external systems].
Assessment Procedures
AC-20.1 - CCI-000093
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to access the information system from the external information systems.
AC-20.2 - CCI-002332
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process, store or transmit organization-controlled information using the external information systems.
Related Controls
  1. AC-2 - Account Management
  2. AC-3 - Access Enforcement
  3. AC-17 - Remote Access
  4. AC-19 - Access Control For Mobile Devices
  5. CA-3 - Information Exchange
  6. PL-2 - System Security And Privacy Plans
  7. PL-4 - Rules Of Behavior
  8. SA-9 - External System Services
  9. SC-7 - Boundary Protection
References
  1. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  2. Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2., "SP 800-171" https://doi.org/10.6028/NIST.SP.800-171r2
  3. Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172., "SP 800-172" https://doi.org/10.6028/NIST.SP.800-172-draft
Enhancements
AC-20(1) - Limits On Authorized Use
Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:
AC-20(2) - Portable Storage Devices — Restricted Use
Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions].
AC-20(3) - Non-Organizationally Owned Systems — Restricted Use
Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [Assignment: organization-defined restrictions].
AC-20(4) - Network Accessible Storage Devices — Prohibited Use
Prohibit the use of [Assignment: organization-defined network accessible storage devices] in external systems.
AC-20(5) - Portable Storage Devices — Prohibited Use
Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems.
INFORMATION SHARING
RMF Control
AC-21
Subject Area
ACCESS CONTROL
Baseline Areas
MODERATE, HIGH
Description
Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions.
Instructions
AC-21a.
Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
AC-21b.
Employ [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing and collaboration decisions.
Assessment Procedures
AC-21.1 - CCI-000098
The organization facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information circumstances where user discretion is required.
AC-21.2 - CCI-001470
The organization defines information sharing circumstances where user discretion is required.
AC-21.3 - CCI-001471
The organization employs organization-defined automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions.
AC-21.4 - CCI-001472
The organization defines the automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-4 - Information Flow Enforcement
  3. AC-16 - Security And Privacy Attributes
  4. PT-2 - Authority To Process Personally Identifiable Information
  5. PT-7 - Specific Categories Of Personally Identifiable Information
  6. RA-3 - Risk Assessment
  7. SC-15 - Collaborative Computing Devices And Applications
References
  1. Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062., "IR 8062" https://doi.org/10.6028/NIST.IR.8062
  2. Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150., "SP 800-150" https://doi.org/10.6028/NIST.SP.800-150
  3. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
AC-21(1) - Automated Decision Support
Employ [Assignment: organization-defined automated mechanisms] to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
AC-21(2) - Information Search And Retrieval
Implement information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions].
PUBLICLY ACCESSIBLE CONTENT
RMF Control
AC-22
Subject Area
ACCESS CONTROL
Baseline Areas
LOW, MODERATE, HIGH
Description
In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the PRIVACT and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible.
Instructions
AC-22a.
Designate individuals authorized to make information publicly accessible;
AC-22b.
Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
AC-22c.
Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and
AC-22d.
Review the content on the publicly accessible system for nonpublic information [Assignment: organization-defined frequency] and remove such information, if discovered.
Assessment Procedures
AC-22.1 - CCI-001473
The organization designates individuals authorized to post information onto a publicly accessible information system.
AC-22.2 - CCI-001474
The organization trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information.
AC-22.3 - CCI-001475
The organization reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included.
AC-22.4 - CCI-001476
The organization reviews the content on the publicly accessible information system for nonpublic information on an organization-defined frequency.
AC-22.5 - CCI-001477
The organization defines a frequency for reviewing the content on the publicly accessible information system for nonpublic information.
AC-22.6 - CCI-001478
The organization removes nonpublic information from the publicly accessible information system, if discovered.
Related Controls
  1. AC-3 - Access Enforcement
  2. AT-2 - Literacy Training And Awareness
  3. AT-3 - Role-Based Training
  4. AU-13 - Monitoring For Information Disclosure
References
  1. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
Enhancements
DATA MINING PROTECTION
RMF Control
AC-23
Subject Area
ACCESS CONTROL
Baseline Areas
NOT SELECTED
Description
Data mining is an analytical process that attempts to find correlations or patterns in large data sets for the purpose of data or knowledge discovery. Data storage objects include database records and database fields. Sensitive information can be extracted from data mining operations. When information is personally identifiable information, it may lead to unanticipated revelations about individuals and give rise to privacy risks. Prior to performing data mining activities, organizations determine whether such activities are authorized. Organizations may be subject to applicable laws, executive orders, directives, regulations, or policies that address data mining requirements. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements. Data mining prevention and detection techniques include limiting the number and frequency of database queries to increase the work factor needed to determine the contents of databases, limiting types of responses provided to database queries, applying differential privacy techniques or homomorphic encryption, and notifying personnel when atypical database queries or accesses occur. Data mining protection focuses on protecting information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is available as open-source information residing on external sites, such as social networking or social media websites. EO 13587 requires the establishment of an insider threat program for deterring, detecting, and mitigating insider threats, including the safeguarding of sensitive information from exploitation, compromise, or other unauthorized disclosure. Data mining protection requires organizations to identify appropriate techniques to prevent and detect unnecessary or unauthorized data mining. Data mining can be used by an insider to collect organizational information for the purpose of exfiltration.
Instructions
Employ [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to detect and protect against unauthorized data mining.
Assessment Procedures
AC-23.1 - CCI-002343
The organization defines the data mining prevention techniques to be employed to adequately protect organization-defined data storage objects against data mining.
AC-23.2 - CCI-002344
The organization defines the data mining detection techniques to be employed to adequately detect data mining attempts against organization-defined data storage objects.
AC-23.3 - CCI-002345
The organization defines the data storage objects that are to be protected against data mining attempts.
AC-23.4 - CCI-002346
The organization employs organization-defined data mining prevention techniques for organization-defined data storage objects to adequately protect against data mining.
AC-23.5 - CCI-002347
The organization employs organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts.
Related Controls
  1. PM-12 - Insider Threat Program
  2. PT-2 - Authority To Process Personally Identifiable Information
References
  1. Executive Order 13587, , October 2011., "EO 13587" https://obamawhitehouse.archives.gov/the-press-off
Enhancements
ACCESS CONTROL DECISIONS
RMF Control
AC-24
Subject Area
ACCESS CONTROL
Baseline Areas
NOT SELECTED
Description
Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when systems enforce access control decisions. While it is common to have access control decisions and access enforcement implemented by the same entity, it is not required, and it is not always an optimal implementation choice. For some architectures and distributed systems, different entities may make access control decisions and enforce access.
Instructions
[Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.
Assessment Procedures
AC-24.1 - CCI-002348
The organization defines the access control decisions that are to be applied to each access request prior to access enforcement.
AC-24.2 - CCI-002349
The organization establishes procedures to ensure organization-defined access control decisions are applied to each access request prior to access enforcement.
Related Controls
  1. AC-2 - Account Management
  2. AC-3 - Access Enforcement
References
  1. Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178., "SP 800-178" https://doi.org/10.6028/NIST.SP.800-178
  2. Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019., "SP 800-162" https://doi.org/10.6028/NIST.SP.800-162
Enhancements
AC-24(1) - Transmit Access Authorization Information
Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions.
AC-24(2) - No User Or Process Identity
Enforce access control decisions based on [Assignment: organization-defined security or privacy attributes] that do not include the identity of the user or process acting on behalf of the user.
REFERENCE MONITOR
RMF Control
AC-25
Subject Area
ACCESS CONTROL
Baseline Areas
NOT SELECTED
Description
A reference monitor is a set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects. A reference validation mechanism is always invoked, tamper-proof, and small enough to be subject to analysis and tests, the completeness of which can be assured (i.e., verifiable). Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are associated with data structures, such as records, buffers, communications ports, tables, files, and inter-process pipes. Reference monitors enforce access control policies that restrict access to objects based on the identity of subjects or groups to which the subjects belong. The system enforces the access control policy based on the rule set established by the policy. The tamper-proof property of the reference monitor prevents determined adversaries from compromising the functioning of the reference validation mechanism. The always invoked property prevents adversaries from bypassing the mechanism and violating the security policy. The smallness property helps to ensure completeness in the analysis and testing of the mechanism to detect any weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy.
Instructions
Implement a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.
Assessment Procedures
AC-25.1 - CCI-002356
The organization defines the access control policies to be implemented by the information system's reference monitor.
AC-25.2 - CCI-002357
The information system implements a reference monitor for organization-defined access control policies that is tamperproof.
AC-25.3 - CCI-002358
The information system implements a reference monitor for organization-defined access control policies that is always invoked.
AC-25.4 - CCI-002359
The information system implements a reference monitor for organization-defined access control policies that is small enough to be subject to analysis and testing, the completeness of which can be assured.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-16 - Security And Privacy Attributes
  3. SA-8 - Security And Privacy Engineering Principles
  4. SA-17 - Developer Security And Privacy Architecture And Design
  5. SC-3 - Security Function Isolation
  6. SC-11 - Trusted Path
  7. SC-39 - Process Isolation
  8. SI-13 - Predictable Failure Prevention
References
Enhancements
POLICY AND PROCEDURES
RMF Control
AT-1
Subject Area
AWARENESS AND TRAINING
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
AT-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
AT-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and
AT-1c.
Review and update the current awareness and training:
Assessment Procedures
AT-1.1 - CCI-002048
The organization defines the personnel or roles to whom the security awareness and training policy is disseminated.
AT-1.2 - CCI-002049
The organization defines the personnel or roles to whom the security awareness and training procedures are disseminated.
AT-1.3 - CCI-000100
The organization develops and documents a security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
AT-1.4 - CCI-000101
The organization disseminates a security awareness and training policy to organization-defined personnel or roles.
AT-1.6 - CCI-000103
The organization develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls.
AT-1.7 - CCI-000104
The organization disseminates security awareness and training procedures to organization-defined personnel or roles.
AT-1.8 - CCI-000102
The organization reviews and updates the current security awareness and training policy in accordance with organization-defined frequency.
AT-1.5 - CCI-001564
The organization defines the frequency of security awareness and training policy reviews and updates.
AT-1.9 - CCI-000105
The organization reviews and updates the current security awareness and training procedures in accordance with organization-defined frequency.
AT-1.10 - CCI-001565
The organization defines the frequency of security awareness and training procedure reviews and updates.
Related Controls
  1. PM-9 - Risk Management Strategy
  2. PS-8 - Personnel Sanctions
  3. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  3. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  4. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
  5. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  6. Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50., "SP 800-50" https://doi.org/10.6028/NIST.SP.800-50
Enhancements
LITERACY TRAINING AND AWARENESS
RMF Control
AT-2
Subject Area
AWARENESS AND TRAINING
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information. Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in AT-2a.1 is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
Instructions
AT-2a.
Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):
AT-2b.
Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques];
AT-2c.
Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
AT-2d.
Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.
Assessment Procedures
AT-2.1 - CCI-001480
The organization defines the frequency for providing refresher security awareness training to all information system users (including managers, senior executives, and contractors).
AT-2.2 - CCI-000106
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users.
AT-2.3 - CCI-000112
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes.
AT-2.4 - CCI-001479
The organization provides refresher security awareness training to all information system users (including managers, senior executives, and contractors) in accordance with the organization-defined frequency.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-17 - Remote Access
  3. AC-22 - Publicly Accessible Content
  4. AT-3 - Role-Based Training
  5. AT-4 - Training Records
  6. CP-3 - Contingency Training
  7. IA-4 - Identifier Management
  8. IR-2 - Incident Response Training
  9. IR-7 - Incident Response Assistance
  10. IR-9 - Information Spillage Response
  11. PL-4 - Rules Of Behavior
  12. PM-13 - Security And Privacy Workforce
  13. PM-21 - Accounting Of Disclosures
  14. PS-7 - External Personnel Security
  15. PT-2 - Authority To Process Personally Identifiable Information
  16. SA-8 - Security And Privacy Engineering Principles
  17. SA-16 - Developer-Provided Training
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. Office of the Director of National Intelligence (ODNI) Cyber Threat Framework., "ODNI CTF" https://www.dni.gov/index.php/cyber-threat-framewo
  3. Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1., "SP 800-181" https://doi.org/10.6028/NIST.SP.800-181r1
  4. Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2., "SP 800-160-2" https://doi.org/10.6028/NIST.SP.800-160v2
  5. Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50., "SP 800-50" https://doi.org/10.6028/NIST.SP.800-50
Enhancements
AT-2(1) - Practical Exercises
Provide practical exercises in literacy training that simulate events and incidents.
AT-2(2) - Insider Threat
Provide literacy training on recognizing and reporting potential indicators of insider threat.
AT-2(3) - Social Engineering And Mining
Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.
AT-2(4) - Suspicious Communications And Anomalous System Behavior
Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using [Assignment: organization-defined indicators of malicious code].
AT-2(5) - Advanced Persistent Threat
Provide literacy training on the advanced persistent threat.
AT-2(6) - Cyber Threat Environment
ROLE-BASED TRAINING
RMF Control
AT-3
Subject Area
AWARENESS AND TRAINING
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
Instructions
AT-3a.
Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]:
AT-3b.
Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
AT-3c.
Incorporate lessons learned from internal or external security incidents or breaches into role-based training.
Assessment Procedures
AT-3.1 - CCI-000108
The organization provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties
AT-3.2 - CCI-000109
The organization provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes.
AT-3.3 - CCI-000110
The organization provides refresher role-based security training to personnel with assigned security roles and responsibilities in accordance with organization-defined frequency.
AT-3.4 - CCI-000111
The organization defines a frequency for providing refresher role-based security training.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-17 - Remote Access
  3. AC-22 - Publicly Accessible Content
  4. AT-2 - Literacy Training And Awareness
  5. AT-4 - Training Records
  6. CP-3 - Contingency Training
  7. IR-2 - Incident Response Training
  8. IR-4 - Incident Handling
  9. IR-7 - Incident Response Assistance
  10. IR-9 - Information Spillage Response
  11. PL-4 - Rules Of Behavior
  12. PM-13 - Security And Privacy Workforce
  13. PM-23 - Data Governance Body
  14. PS-7 - External Personnel Security
  15. PS-9 - Position Descriptions
  16. SA-3 - System Development Life Cycle
  17. SA-8 - Security And Privacy Engineering Principles
  18. SA-11 - Developer Testing And Evaluation
  19. SA-16 - Developer-Provided Training
  20. SR-5 - Acquisition Strategies, Tools, And Methods
  21. SR-6 - Supplier Assessments And Reviews
  22. SR-11 - Component Authenticity
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1., "SP 800-181" https://doi.org/10.6028/NIST.SP.800-181r1
  3. Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50., "SP 800-50" https://doi.org/10.6028/NIST.SP.800-50
Enhancements
AT-3(1) - Environmental Controls
Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.
AT-3(2) - Physical Security Controls
Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.
AT-3(3) - Practical Exercises
Provide practical exercises in security and privacy training that reinforce training objectives.
AT-3(4) - Suspicious Communications And Anomalous System Behavior
[Withdrawn: Moved to AT-2(4)].
AT-3(5) - Processing Personally Identifiable Information
Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls.
TRAINING RECORDS
RMF Control
AT-4
Subject Area
AWARENESS AND TRAINING
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.
Instructions
AT-4a.
Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and
AT-4b.
Retain individual training records for [Assignment: organization-defined time period].
Assessment Procedures
AT-4.1 - CCI-000113
The organization documents individual information system security training activities, including basic security awareness training and specific information system security training.
AT-4.2 - CCI-000114
The organization monitors individual information system security training activities, including basic security awareness training and specific information system security training.
AT-4.3 - CCI-001336
The organization retains individual training records for an organization-defined time period.
AT-4.4 - CCI-001337
The organization defines a time period for retaining individual training records.
Related Controls
  1. AT-2 - Literacy Training And Awareness
  2. AT-3 - Role-Based Training
  3. CP-3 - Contingency Training
  4. IR-2 - Incident Response Training
  5. PM-14 - Testing, Training, And Monitoring
  6. SI-12 - Information Management And Retention
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS
RMF Control
AT-5
Subject Area
AWARENESS AND TRAINING
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into PM-15].
Assessment Procedures
Related Controls
References
Enhancements
TRAINING FEEDBACK
RMF Control
AT-6
Subject Area
AWARENESS AND TRAINING
Baseline Areas
NOT SELECTED
Description
Training feedback includes awareness training results and role-based training results. Training results, especially failures of personnel in critical roles, can be indicative of a potentially serious problem. Therefore, it is important that senior managers are made aware of such situations so that they can take appropriate response actions. Training feedback supports the evaluation and update of organizational training described in AT-2b and AT-3b.
Instructions
Provide feedback on organizational training results to the following personnel [Assignment: organization-defined frequency]: [Assignment: organization-defined personnel].
Assessment Procedures
Related Controls
References
Enhancements
POLICY AND PROCEDURES
RMF Control
AU-1
Subject Area
AUDIT AND ACCOUNTABILITY
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
AU-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
AU-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and
AU-1c.
Review and update the current audit and accountability:
Assessment Procedures
AU-1.1 - CCI-001930
The organization defines the organizational personnel or roles to whom the audit and accountability policy is to be disseminated.
AU-1.2 - CCI-001931
The organization defines the organizational personnel or roles to whom the audit and accountability procedures are to be disseminated.
AU-1.3 - CCI-000117
The organization develops and documents an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
AU-1.4 - CCI-001832
The organization disseminates the audit and accountability policy to organization-defined personnel or roles.
AU-1.5 - CCI-000120
The organization develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.
AU-1.6 - CCI-001834
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.
AU-1.7 - CCI-000119
The organization reviews and updates the audit and accountability policy on an organization-defined frequency.
AU-1.8 - CCI-001569
The organization defines the frequency on which it will review and update the audit and accountability policy.
AU-1.9 - CCI-000122
The organization reviews and updates the audit and accountability procedures on an organization-defined frequency.
AU-1.10 - CCI-001570
The organization defines the frequency on which it will review and update the audit and accountability procedures.
Related Controls
  1. PM-9 - Risk Management Strategy
  2. PS-8 - Personnel Sanctions
  3. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  3. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  4. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
Enhancements
EVENT LOGGING
RMF Control
AU-2
Subject Area
AUDIT AND ACCOUNTABILITY
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage. Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3)(b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.
Instructions
AU-2a.
Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging];
AU-2b.
Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
AU-2c.
Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type];
AU-2d.
Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and
AU-2e.
Review and update the event types selected for logging [Assignment: organization-defined frequency].
Assessment Procedures
AU-2.1 - CCI-000123
The organization determines the information system must be capable of auditing an organization-defined list of auditable events.
AU-2.2 - CCI-001571
The organization defines the information system auditable events.
AU-2.3 - CCI-000124
The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events.
AU-2.4 - CCI-000125
The organization provides a rationale for why the list of auditable events is deemed to be adequate to support after-the-fact investigations of security incidents.
AU-2.7 - CCI-001485
The organization defines the events which are to be audited on the information system on an organization-defined frequency of (or situation requiring) auditing for each identified event.
AU-2.6 - CCI-001484
The organization defines frequency of (or situation requiring) auditing for each identified event.
AU-2.5 - CCI-000126
The organization determines that the organization-defined subset of the auditable events defined in AU-2 are to be audited within the information system.
Related Controls
  1. AC-2 - Account Management
  2. AC-3 - Access Enforcement
  3. AC-6 - Least Privilege
  4. AC-7 - Unsuccessful Logon Attempts
  5. AC-8 - System Use Notification
  6. AC-16 - Security And Privacy Attributes
  7. AC-17 - Remote Access
  8. AU-3 - Content Of Audit Records
  9. AU-4 - Audit Log Storage Capacity
  10. AU-5 - Response To Audit Logging Process Failures
  11. AU-6 - Audit Record Review, Analysis, And Reporting
  12. AU-7 - Audit Record Reduction And Report Generation
  13. AU-11 - Audit Record Retention
  14. AU-12 - Audit Record Generation
  15. CM-3 - Configuration Change Control
  16. CM-5 - Access Restrictions For Change
  17. CM-6 - Configuration Settings
  18. CM-13 - Data Action Mapping
  19. IA-3 - Device Identification And Authentication
  20. MA-4 - Nonlocal Maintenance
  21. MP-4 - Media Storage
  22. PE-3 - Physical Access Control
  23. PM-21 - Accounting Of Disclosures
  24. PT-2 - Authority To Process Personally Identifiable Information
  25. PT-7 - Specific Categories Of Personally Identifiable Information
  26. RA-8 - Privacy Impact Assessments
  27. SA-8 - Security And Privacy Engineering Principles
  28. SC-7 - Boundary Protection
  29. SC-18 - Mobile Code
  30. SI-3 - Malicious Code Protection
  31. SI-4 - System Monitoring
  32. SI-7 - Software, Firmware, And Information Integrity
  33. SI-10 - Information Input Validation
  34. SI-11 - Error Handling
References
  1. Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92., "SP 800-92" https://doi.org/10.6028/NIST.SP.800-92
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
AU-2(1) - Compilation Of Audit Records From Multiple Sources
[Withdrawn: Incorporated into AU-12].
AU-2(2) - Selection Of Audit Events By Component
[Withdrawn: Incorporated into AU-12].
AU-2(3) - Reviews And Updates
[Withdrawn: Incorporated into AU-2].
AU-2(4) - Privileged Functions
[Withdrawn: Incorporated into AC-6(9)].
CONTENT OF AUDIT RECORDS
RMF Control
AU-3
Subject Area
AUDIT AND ACCOUNTABILITY
Baseline Areas
LOW, MODERATE, HIGH
Description
Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage.
Instructions
Ensure that audit records contain information that establishes the following:
AU-3a.
What type of event occurred;
AU-3b.
When the event occurred;
AU-3c.
Where the event occurred;
AU-3d.
Source of the event;
AU-3e.
Outcome of the event; and
AU-3f.
Identity of any individuals, subjects, or objects/entities associated with the event.
Assessment Procedures
AU-3.1 - CCI-000130
The information system generates audit records containing information that establishes what type of event occurred.
AU-3.2 - CCI-000131
The information system generates audit records containing information that establishes when an event occurred.
AU-3.3 - CCI-000132
The information system generates audit records containing information that establishes where the event occurred.
AU-3.4 - CCI-000133
The information system generates audit records containing information that establishes the source of the event.
AU-3.5 - CCI-000134
The information system generates audit records containing information that establishes the outcome of the event.
AU-3.6 - CCI-001487
The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event.
Related Controls
  1. AU-2 - Event Logging
  2. AU-8 - Time Stamps
  3. AU-12 - Audit Record Generation
  4. AU-14 - Session Audit
  5. MA-4 - Nonlocal Maintenance
  6. PL-9 - Central Management
  7. SA-8 - Security And Privacy Engineering Principles
  8. SI-7 - Software, Firmware, And Information Integrity
  9. SI-11 - Error Handling
References
  1. Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062., "IR 8062" https://doi.org/10.6028/NIST.IR.8062
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
AU-3(1) - Additional Audit Information
Generate audit records containing the following additional information: [Assignment: organization-defined additional information].
AU-3(2) - Centralized Management Of Planned Audit Record Content
[Withdrawn: Incorporated into PL-9].
AU-3(3) - Limit Personally Identifiable Information Elements
Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements].
AUDIT LOG STORAGE CAPACITY
RMF Control
AU-4
Subject Area
AUDIT AND ACCOUNTABILITY
Baseline Areas
LOW, MODERATE, HIGH
Description
Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.
Instructions
Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements].
Assessment Procedures
AU-4.1 - CCI-001848
The organization defines the audit record storage requirements.
AU-4.2 - CCI-001849
The organization allocates audit record storage capacity in accordance with organization-defined audit record storage requirements.
Related Controls
  1. AU-2 - Event Logging
  2. AU-5 - Response To Audit Logging Process Failures
  3. AU-6 - Audit Record Review, Analysis, And Reporting
  4. AU-7 - Audit Record Reduction And Report Generation
  5. AU-9 - Protection Of Audit Information
  6. AU-11 - Audit Record Retention
  7. AU-12 - Audit Record Generation
  8. AU-14 - Session Audit
  9. SI-4 - System Monitoring
References
Enhancements
AU-4(1) - Transfer To Alternate Storage
Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging.
RESPONSE TO AUDIT LOGGING PROCESS FAILURES
RMF Control
AU-5
Subject Area
AUDIT AND ACCOUNTABILITY
Baseline Areas
LOW, MODERATE, HIGH
Description
Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.
Instructions
AU-5a.
Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] in the event of an audit logging process failure; and
AU-5b.
Take the following additional actions: [Assignment: organization-defined additional actions].
Assessment Procedures
AU-5.1 - CCI-000139
The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure.
AU-5.2 - CCI-001572
The organization defines the personnel or roles to be alerted in the event of an audit processing failure.
AU-5.3 - CCI-000140
The information system takes organization defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).
AU-5.4 - CCI-001490
The organization defines actions to be taken by the information system upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).
Related Controls
  1. AU-2 - Event Logging
  2. AU-4 - Audit Log Storage Capacity
  3. AU-7 - Audit Record Reduction And Report Generation
  4. AU-9 - Protection Of Audit Information
  5. AU-11 - Audit Record Retention
  6. AU-12 - Audit Record Generation
  7. AU-14 - Session Audit
  8. SI-4 - System Monitoring
  9. SI-12 - Information Management And Retention
References
Enhancements
AU-5(1) - Storage Capacity Warning
Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity.
AU-5(2) - Real-Time Alerts
Provide an alert within [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit logging failure events requiring real-time alerts].
AU-5(3) - Configurable Traffic Volume Thresholds
Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and [Selection: reject; delay] network traffic above those thresholds.
AU-5(4) - Shutdown On Failure
Invoke a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission or business functionality available] in the event of [Assignment: organization-defined audit logging failures], unless an alternate audit logging capability exists.
AU-5(5) - Alternate Audit Logging Capability
Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements [Assignment: organization-defined alternate audit logging functionality].
AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING
RMF Control
AU-6
Subject Area
AUDIT AND ACCOUNTABILITY
Baseline Areas
LOW, MODERATE, HIGH
Description
Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.
Instructions
AU-6a.
Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity;
AU-6b.
Report findings to [Assignment: organization-defined personnel or roles]; and
AU-6c.
Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
Assessment Procedures
AU-6.1 - CCI-000148
The organization reviews and analyzes information system audit records on an organization defined frequency for indications of organization-defined inappropriate or unusual activity.
AU-6.2 - CCI-000151
The organization defines the frequency for the review and analysis of information system audit records for organization-defined inappropriate or unusual activity.
AU-6.3 - CCI-001862
The organization defines the types of inappropriate or unusual activity to be reviewed and analyzed in the audit records.
AU-6.4 - CCI-000149
The organization reports any findings to organization-defined personnel or roles for indications of organization-defined inappropriate or unusual activity.
AU-6.5 - CCI-001863
The organization defines the personnel or roles to receive the reports of organization-defined inappropriate or unusual activity.
Related Controls
  1. AC-2 - Account Management
  2. AC-3 - Access Enforcement
  3. AC-5 - Separation Of Duties
  4. AC-6 - Least Privilege
  5. AC-7 - Unsuccessful Logon Attempts
  6. AC-17 - Remote Access
  7. AU-7 - Audit Record Reduction And Report Generation
  8. AU-16 - Cross-Organizational Audit Logging
  9. CA-2 - Control Assessments
  10. CA-7 - Continuous Monitoring
  11. CM-2 - Baseline Configuration
  12. CM-5 - Access Restrictions For Change
  13. CM-6 - Configuration Settings
  14. CM-10 - Software Usage Restrictions
  15. CM-11 - User-Installed Software
  16. IA-2 - Identification And Authentication (Organizational Users)
  17. IA-3 - Device Identification And Authentication
  18. IA-5 - Authenticator Management
  19. IA-8 - Identification And Authentication (Non-Organizational Users)
  20. IR-5 - Incident Monitoring
  21. MA-4 - Nonlocal Maintenance
  22. MP-4 - Media Storage
  23. PE-3 - Physical Access Control
  24. PE-6 - Monitoring Physical Access
  25. RA-5 - Vulnerability Monitoring And Scanning
  26. SA-8 - Security And Privacy Engineering Principles
  27. SC-7 - Boundary Protection
  28. SI-3 - Malicious Code Protection
  29. SI-4 - System Monitoring
  30. SI-7 - Software, Firmware, And Information Integrity
References
  1. Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1., "SP 800-101" https://doi.org/10.6028/NIST.SP.800-101r1
  2. Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86., "SP 800-86" https://doi.org/10.6028/NIST.SP.800-86
Enhancements
AU-6(1) - Automated Process Integration
Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms].
AU-6(2) - Automated Security Alerts
[Withdrawn: Incorporated into SI-4].
AU-6(3) - Correlate Audit Record Repositories
Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.
AU-6(4) - Central Review And Analysis
Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.
AU-6(5) - Integrated Analysis Of Audit Records
Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.
AU-6(6) - Correlation With Physical Monitoring
Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
AU-6(7) - Permitted Actions
Specify the permitted actions for each [Selection (one or more): system process; role; user] associated with the review, analysis, and reporting of audit record information.
AU-6(8) - Full Text Analysis Of Privileged Commands
Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis.
AU-6(9) - Correlation With Information From Nontechnical Sources
Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness.
AU-6(10) - Audit Level Adjustment
[Withdrawn: Incorporated into AU-6].
AUDIT RECORD REDUCTION AND REPORT GENERATION
RMF Control
AU-7
Subject Area
AUDIT AND ACCOUNTABILITY
Baseline Areas
MODERATE, HIGH
Description
Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.
Instructions
Provide and implement an audit record reduction and report generation capability that:
AU-7a.
Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and
AU-7b.
Does not alter the original content or time ordering of audit records.
Assessment Procedures
AU-7.1 - CCI-001875
The information system provides an audit reduction capability that supports on-demand audit review and analysis.
AU-7.2 - CCI-001876
The information system provides an audit reduction capability that supports on-demand reporting requirements.
AU-7.3 - CCI-001877
The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents.
AU-7.4 - CCI-001878
The information system provides a report generation capability that supports on-demand audit review and analysis.
AU-7.5 - CCI-001879
The information system provides a report generation capability that supports on-demand reporting requirements.
AU-7.6 - CCI-001880
The information system provides a report generation capability that supports after-the-fact investigations of security incidents.
AU-7.7 - CCI-001881
The information system provides an audit reduction capability that does not alter original content or time ordering of audit records.
AU-7.8 - CCI-001882
The information system provides a report generation capability that does not alter original content or time ordering of audit records.
Related Controls
  1. AC-2 - Account Management
  2. AU-2 - Event Logging
  3. AU-3 - Content Of Audit Records
  4. AU-4 - Audit Log Storage Capacity
  5. AU-5 - Response To Audit Logging Process Failures
  6. AU-6 - Audit Record Review, Analysis, And Reporting
  7. AU-12 - Audit Record Generation
  8. AU-16 - Cross-Organizational Audit Logging
  9. CM-5 - Access Restrictions For Change
  10. IA-5 - Authenticator Management
  11. IR-4 - Incident Handling
  12. PM-12 - Insider Threat Program
  13. SI-4 - System Monitoring
References
Enhancements
AU-7(1) - Automatic Processing
Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records].
AU-7(2) - Automatic Sort And Search
[Withdrawn: Incorporated into AU-7(1)].
TIME STAMPS
RMF Control
AU-8
Subject Area
AUDIT AND ACCOUNTABILITY
Baseline Areas
LOW, MODERATE, HIGH
Description
Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.
Instructions
AU-8a.
Use internal system clocks to generate time stamps for audit records; and
AU-8b.
Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.
Assessment Procedures
AU-8.1 - CCI-000159
The information system uses internal system clocks to generate time stamps for audit records.
AU-8.2 - CCI-001888
The organization defines the granularity of time measurement for time stamps generated for audit records.
AU-8.3 - CCI-001889
The information system records time stamps for audit records that meets organization-defined granularity of time measurement.
AU-8.4 - CCI-001890
The information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
Related Controls
  1. AU-3 - Content Of Audit Records
  2. AU-12 - Audit Record Generation
  3. AU-14 - Session Audit
  4. SC-45 - System Time Synchronization
References
Enhancements
AU-8(1) - Synchronization With Authoritative Time Source
[Withdrawn: Moved to SC-45(1)].
AU-8(2) - Secondary Authoritative Time Source
[Withdrawn: Moved to SC-45(2)].
PROTECTION OF AUDIT INFORMATION
RMF Control
AU-9
Subject Area
AUDIT AND ACCOUNTABILITY
Baseline Areas
LOW, MODERATE, HIGH
Description
Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.
Instructions
AU-9a.
Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and
AU-9b.
Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information.
Assessment Procedures
AU-9.1 - CCI-000162
The information system protects audit information from unauthorized access.
AU-9.2 - CCI-000163
The information system protects audit information from unauthorized modification.
AU-9.3 - CCI-000164
The information system protects audit information from unauthorized deletion.
AU-9.4 - CCI-001493
The information system protects audit tools from unauthorized access.
AU-9.5 - CCI-001494
The information system protects audit tools from unauthorized modification.
AU-9.6 - CCI-001495
The information system protects audit tools from unauthorized deletion.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-6 - Least Privilege
  3. AU-6 - Audit Record Review, Analysis, And Reporting
  4. AU-11 - Audit Record Retention
  5. AU-14 - Session Audit
  6. AU-15 - Alternate Audit Logging Capability
  7. MP-2 - Media Access
  8. MP-4 - Media Storage
  9. PE-2 - Physical Access Authorizations
  10. PE-3 - Physical Access Control
  11. PE-6 - Monitoring Physical Access
  12. SA-8 - Security And Privacy Engineering Principles
  13. SC-8 - Transmission Confidentiality And Integrity
  14. SI-4 - System Monitoring
References
  1. National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4., "FIPS 180-4" https://doi.org/10.6028/NIST.FIPS.180-4
  2. National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202., "FIPS 202" https://doi.org/10.6028/NIST.FIPS.202
  3. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
Enhancements
AU-9(1) - Hardware Write-Once Media
Write audit trails to hardware-enforced, write-once media.
AU-9(2) - Store On Separate Physical Systems Or Components
Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited.
AU-9(3) - Cryptographic Protection
Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.
AU-9(4) - Access By Subset Of Privileged Users
Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles].
AU-9(5) - Dual Authorization
Enforce dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information].
AU-9(6) - Read-Only Access
Authorize read-only access to audit information to [Assignment: organization-defined subset of privileged users or roles].
AU-9(7) - Store On Component With Different Operating System
Store audit information on a component running a different operating system than the system or component being audited.
NON-REPUDIATION
RMF Control
AU-10
Subject Area
AUDIT AND ACCOUNTABILITY
Baseline Areas
HIGH
Description
Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts.
Instructions
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation].
Assessment Procedures
AU-10.1 - CCI-000166
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
AU-10.2 - CCI-001899
The organization defines the action to be covered by non-repudiation.
Related Controls
  1. AU-9 - Protection Of Audit Information
  2. PM-12 - Insider Threat Program
  3. SA-8 - Security And Privacy Engineering Principles
  4. SC-8 - Transmission Confidentiality And Integrity
  5. SC-12 - Cryptographic Key Establishment And Management
  6. SC-13 - Cryptographic Protection
  7. SC-16 - Transmission Of Security And Privacy Attributes
  8. SC-17 - Public Key Infrastructure Certificates
  9. SC-23 - Session Authenticity
References
  1. National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4., "FIPS 186-4" https://doi.org/10.6028/NIST.FIPS.186-4
  2. National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4., "FIPS 180-4" https://doi.org/10.6028/NIST.FIPS.180-4
  3. National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202., "FIPS 202" https://doi.org/10.6028/NIST.FIPS.202
  4. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
  5. Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1., "SP 800-177" https://doi.org/10.6028/NIST.SP.800-177r1
Enhancements
AU-10(1) - Association Of Identities
AU-10(2) - Validate Binding Of Information Producer Identity
AU-10(3) - Chain Of Custody
Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released.
AU-10(4) - Validate Binding Of Information Reviewer Identity
AU-10(5) - Digital Signatures
[Withdrawn: Incorporated into SI-7].
AUDIT RECORD RETENTION
RMF Control
AU-11
Subject Area
AUDIT AND ACCOUNTABILITY
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention.
Instructions
Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.
Assessment Procedures
AU-11.1 - CCI-000167
The organization retains audit records for an organization defined time period to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
AU-11.2 - CCI-000168
The organization defines the time period for retention of audit records which is consistent with its records retention policy, to provide support for after-the-fact investigations of security incidents, and meet regulatory and organizational information retention requirements.
Related Controls
  1. AU-2 - Event Logging
  2. AU-4 - Audit Log Storage Capacity
  3. AU-5 - Response To Audit Logging Process Failures
  4. AU-6 - Audit Record Review, Analysis, And Reporting
  5. AU-9 - Protection Of Audit Information
  6. AU-14 - Session Audit
  7. MP-6 - Media Sanitization
  8. RA-5 - Vulnerability Monitoring And Scanning
  9. SI-12 - Information Management And Retention
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
AU-11(1) - Long-Term Retrieval Capability
Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved.
AUDIT RECORD GENERATION
RMF Control
AU-12
Subject Area
AUDIT AND ACCOUNTABILITY
Baseline Areas
LOW, MODERATE, HIGH
Description
Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.
Instructions
AU-12a.
Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components];
AU-12b.
Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and
AU-12c.
Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.
Assessment Procedures
AU-12.1 - CCI-000169
The information system provides audit record generation capability for the auditable events defined in AU-2 a at organization defined information system components.
AU-12.2 - CCI-001459
The organization defines information system components that provide audit record generation capability.
AU-12.3 - CCI-000171
The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system.
AU-12.4 - CCI-001910
The organization defines the personnel or roles allowed select which auditable events are to be audited by specific components of the information system.
AU-12.5 - CCI-000172
The information system generates audit records for the events defined in AU-2 d with the content defined in AU-3.
Related Controls
  1. AC-6 - Least Privilege
  2. AC-17 - Remote Access
  3. AU-2 - Event Logging
  4. AU-3 - Content Of Audit Records
  5. AU-4 - Audit Log Storage Capacity
  6. AU-5 - Response To Audit Logging Process Failures
  7. AU-6 - Audit Record Review, Analysis, And Reporting
  8. AU-7 - Audit Record Reduction And Report Generation
  9. AU-14 - Session Audit
  10. CM-5 - Access Restrictions For Change
  11. MA-4 - Nonlocal Maintenance
  12. MP-4 - Media Storage
  13. PM-12 - Insider Threat Program
  14. SA-8 - Security And Privacy Engineering Principles
  15. SC-18 - Mobile Code
  16. SI-3 - Malicious Code Protection
  17. SI-4 - System Monitoring
  18. SI-7 - Software, Firmware, And Information Integrity
  19. SI-10 - Information Input Validation
References
Enhancements
AU-12(1) - System-Wide And Time-Correlated Audit Trail
Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].
AU-12(2) - Standardized Formats
Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
AU-12(3) - Changes By Authorized Individuals
Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds].
AU-12(4) - Query Parameter Audits Of Personally Identifiable Information
Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.
MONITORING FOR INFORMATION DISCLOSURE
RMF Control
AU-13
Subject Area
AUDIT AND ACCOUNTABILITY
Baseline Areas
NOT SELECTED
Description
Unauthorized disclosure of information is a form of data leakage. Open-source information includes social networking sites and code-sharing platforms and repositories. Examples of organizational information include personally identifiable information retained by the organization or proprietary information generated by the organization.
Instructions
AU-13a.
Monitor [Assignment: organization-defined open-source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information; and
AU-13b.
If an information disclosure is discovered:
Assessment Procedures
AU-13.1 - CCI-001460
The organization monitors organization-defined open source information and/or information sites per organization-defined frequency for evidence of unauthorized exfiltration or disclosure of organizational information.
AU-13.2 - CCI-001461
The organization defines a frequency for monitoring open source information and/or information sites for evidence of unauthorized exfiltration or disclosure of organizational information.
AU-13.3 - CCI-001915
The organization defines the open source information and/or information sites to be monitored for evidence of unauthorized exfiltration or disclosure of organizational information.
Related Controls
  1. AC-22 - Publicly Accessible Content
  2. PE-3 - Physical Access Control
  3. PM-12 - Insider Threat Program
  4. RA-5 - Vulnerability Monitoring And Scanning
  5. SC-7 - Boundary Protection
  6. SI-20 - Tainting
References
Enhancements
AU-13(1) - Use Of Automated Tools
Monitor open-source information and information sites using [Assignment: organization-defined automated mechanisms].
AU-13(2) - Review Of Monitored Sites
Review the list of open-source information sites being monitored [Assignment: organization-defined frequency].
AU-13(3) - Unauthorized Replication Of Information
Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner.
SESSION AUDIT
RMF Control
AU-14
Subject Area
AUDIT AND ACCOUNTABILITY
Baseline Areas
NOT SELECTED
Description
Session audits can include monitoring keystrokes, tracking websites visited, and recording information and/or file transfers. Session audit capability is implemented in addition to event logging and may involve implementation of specialized session capture technology. Organizations consider how session auditing can reveal information about individuals that may give rise to privacy risk as well as how to mitigate those risks. Because session auditing can impact system and network performance, organizations activate the capability under well-defined situations (e.g., the organization is suspicious of a specific individual). Organizations consult with legal counsel, civil liberties officials, and privacy officials to ensure that any legal, privacy, civil rights, or civil liberties issues, including the use of personally identifiable information, are appropriately addressed.
Instructions
AU-14a.
Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]; and
AU-14b.
Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
Assessment Procedures
AU-14.1 - CCI-001919
The information system provides the capability for authorized users to select a user session to capture/record or view/hear.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-8 - System Use Notification
  3. AU-2 - Event Logging
  4. AU-3 - Content Of Audit Records
  5. AU-4 - Audit Log Storage Capacity
  6. AU-5 - Response To Audit Logging Process Failures
  7. AU-8 - Time Stamps
  8. AU-9 - Protection Of Audit Information
  9. AU-11 - Audit Record Retention
  10. AU-12 - Audit Record Generation
References
Enhancements
AU-14(1) - System Start-Up
Initiate session audits automatically at system start-up.
AU-14(2) - Capture And Record Content
[Withdrawn: Incorporated into AU-14].
AU-14(3) - Remote Viewing And Listening
Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time.
ALTERNATE AUDIT LOGGING CAPABILITY
RMF Control
AU-15
Subject Area
AUDIT AND ACCOUNTABILITY
Baseline Areas
Description
Instructions
[Withdrawn: Moved to AU-5(5)].
Assessment Procedures
AU-15.1 - CCI-001921
The organization defines the alternative audit functionality to be provided in the event of a failure in the primary audit capability.
AU-15.2 - CCI-001922
The organization provides an alternative audit capability in the event of a failure in primary audit capability that provides organization-defined alternative audit functionality.
Related Controls
References
Enhancements
CROSS-ORGANIZATIONAL AUDIT LOGGING
RMF Control
AU-16
Subject Area
AUDIT AND ACCOUNTABILITY
Baseline Areas
NOT SELECTED
Description
When organizations use systems or services of external organizations, the audit logging capability necessitates a coordinated, cross-organization approach. For example, maintaining the identity of individuals who request specific services across organizational boundaries may often be difficult, and doing so may prove to have significant performance and privacy ramifications. Therefore, it is often the case that cross-organizational audit logging simply captures the identity of individuals who issue requests at the initial system, and subsequent systems record that the requests originated from authorized individuals. Organizations consider including processes for coordinating audit information requirements and protection of audit information in information exchange agreements.
Instructions
Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.
Assessment Procedures
AU-16.1 - CCI-001923
The organization defines the audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries.
AU-16.2 - CCI-001924
The organization defines the methods to be employed when coordinating audit information among external organizations when audit information is transmitted across organizational boundaries.
AU-16.3 - CCI-001925
The organization employs organization-defined methods for coordinating organization-defined audit information among external organizations when audit information is transmitted across organizational boundaries.
Related Controls
  1. AU-3 - Content Of Audit Records
  2. AU-6 - Audit Record Review, Analysis, And Reporting
  3. AU-7 - Audit Record Reduction And Report Generation
  4. CA-3 - Information Exchange
  5. PT-7 - Specific Categories Of Personally Identifiable Information
References
Enhancements
AU-16(1) - Identity Preservation
Preserve the identity of individuals in cross-organizational audit trails.
AU-16(2) - Sharing Of Audit Information
Provide cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements].
AU-16(3) - Disassociability
Implement [Assignment: organization-defined measures] to disassociate individuals from audit information transmitted across organizational boundaries.
POLICY AND PROCEDURES
RMF Control
CA-1
Subject Area
ASSESSMENT, AUTHORIZATION, AND MONITORING
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
CA-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
CA-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and
CA-1c.
Review and update the current assessment, authorization, and monitoring:
Assessment Procedures
CA-1.1 - CCI-002061
The organization defines the personnel or roles to whom security assessment and authorization policy is to be disseminated.
CA-1.2 - CCI-002062
The organization defines the personnel or roles to whom the security assessment and authorization procedures are to be disseminated.
CA-1.3 - CCI-000239
The organization develops and documents a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CA-1.4 - CCI-000240
The organization disseminates to organization-defined personnel or roles a security assessment and authorization policy.
CA-1.5 - CCI-000242
The organization develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls.
CA-1.6 - CCI-000243
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls.
CA-1.7 - CCI-000238
The organization defines the frequency to review and update the current security assessment and authorization policy.
CA-1.8 - CCI-000241
The organization reviews and updates the current security assessment and authorization policy in accordance with organization-defined frequency.
CA-1.9 - CCI-000244
The organization reviews and updates the current security assessment and authorization procedures in accordance with organization-defined frequency.
CA-1.10 - CCI-001578
The organization defines the frequency to review and update the current security assessment and authorization procedures.
Related Controls
  1. PM-9 - Risk Management Strategy
  2. PS-8 - Personnel Sanctions
  3. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062., "IR 8062" https://doi.org/10.6028/NIST.IR.8062
  3. Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A., "SP 800-137A" https://doi.org/10.6028/NIST.SP.800-137A
  4. Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137., "SP 800-137" https://doi.org/10.6028/NIST.SP.800-137
  5. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  6. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  7. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  8. Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014., "SP 800-53A" https://doi.org/10.6028/NIST.SP.800-53Ar4
  9. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
  10. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
CONTROL ASSESSMENTS
RMF Control
CA-2
Subject Area
ASSESSMENT, AUTHORIZATION, AND MONITORING
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented. Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes. Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs. Organizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of CA-2.
Instructions
CA-2a.
Select the appropriate assessor or assessment team for the type of assessment to be conducted;
CA-2b.
Develop a control assessment plan that describes the scope of the assessment including:
CA-2c.
Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
CA-2d.
Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;
CA-2e.
Produce a control assessment report that document the results of the assessment; and
CA-2f.
Provide the results of the control assessment to [Assignment: organization-defined individuals or roles].
Assessment Procedures
CA-2.1 - CCI-000245
The organization develops a security assessment plan for the information system and its environment of operation. IG&VP WG Note: *For DoD, the security assessment plan information is included in the Security Plan and the security assessment report and is not a separate document/artifact.*
CA-2.2 - CCI-000246
The organization's security assessment plan describes the security controls and control enhancements under assessment. IG&VP WG Note *For DoD, the security assessment plan information is included in the Security Plan and the security assessment report and is not a separate document/artifact.*
CA-2.3 - CCI-000247
The organization's security assessment plan describes assessment procedures to be used to determine security control effectiveness. IG&VP WG Note: *For DoD, the security assessment plan information is included in the Security Plan and the security assessment report and is not a separate document/artifact.*
CA-2.4 - CCI-000248
The organization's security assessment plan describes assessment environment. *For DoD, the security assessment plan information is included in the Security Plan and the security assessment report and is not a separate document/artifact.*
CA-2.5 - CCI-002070
The organization's security assessment plan describes assessment team, assessment roles and responsibilities.
CA-2.6 - CCI-000251
The organization assesses, on an organization-defined frequency, the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements. IG&VP WG Note: *For DoD, the security assessment plan information is included in the Security Plan and the security assessment report and is not a separate document/artifact.*
CA-2.7 - CCI-000252
The organization defines the frequency on which the security controls in the information system and its environment of operation are assessed. IG&VP WG Note: *For DoD, the security assessment plan information is included in the Security Plan and the security assessment report and is not a separate document/artifact.*
CA-2.8 - CCI-000253
The organization produces a security assessment report that documents the results of the assessment against the information system and its environment of operation. IG&VP WG Note: *For DoD, the security assessment plan information is included in the Security Plan and the security assessment report and is not a separate document/artifact.*
CA-2.9 - CCI-000254
The organization provides the results of the security control assessment against information system and its environment of operation to organization-defined individuals or roles. IG&VP WG Note: *For DoD, the security assessment plan information is included in the Security Plan and the security assessment report and is not a separate document/artifact.*
CA-2.10 - CCI-002071
The organization defines the individuals or roles to whom the results of the security control assessment is to be provided.
Related Controls
  1. AC-20 - Use Of External Systems
  2. CA-5 - Plan Of Action And Milestones
  3. CA-6 - Authorization
  4. CA-7 - Continuous Monitoring
  5. PM-9 - Risk Management Strategy
  6. RA-5 - Vulnerability Monitoring And Scanning
  7. RA-10 - Threat Hunting
  8. SA-11 - Developer Testing And Evaluation
  9. SC-38 - Operations Security
  10. SI-3 - Malicious Code Protection
  11. SI-12 - Information Management And Retention
  12. SR-2 - Supply Chain Risk Management Plan
  13. SR-3 - Supply Chain Controls And Processes
References
  1. Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062., "IR 8062" https://doi.org/10.6028/NIST.IR.8062
  2. Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137., "SP 800-137" https://doi.org/10.6028/NIST.SP.800-137
  3. Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1., "IR 8011-1" https://doi.org/10.6028/NIST.IR.8011-1
  4. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  5. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  6. Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014., "SP 800-53A" https://doi.org/10.6028/NIST.SP.800-53Ar4
  7. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  8. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  9. Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115., "SP 800-115" https://doi.org/10.6028/NIST.SP.800-115
  10. Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1., "SP 800-18" https://doi.org/10.6028/NIST.SP.800-18r1
Enhancements
CA-2(1) - Independent Assessors
Employ independent assessors or assessment teams to conduct control assessments.
CA-2(2) - Specialized Assessments
Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]].
CA-2(3) - Leveraging Results From External Organizations
Leverage the results of control assessments performed by [Assignment: organization-defined external organization] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements].
INFORMATION EXCHANGE
RMF Control
CA-3
Subject Area
ASSESSMENT, AUTHORIZATION, AND MONITORING
Baseline Areas
LOW, MODERATE, HIGH
Description
System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in CA-6(1) or CA-6(2), may help to communicate and reduce risk. Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks.
Instructions
CA-3a.
Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement]];
CA-3b.
Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and
CA-3c.
Review and update the agreements [Assignment: organization-defined frequency].
Assessment Procedures
CA-3.1 - CCI-000257
The organization authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements.
CA-3.2 - CCI-000258
The organization documents, for each interconnection, the interface characteristics.
CA-3.3 - CCI-000259
The organization documents, for each interconnection, the security requirements.
CA-3.4 - CCI-000260
The organization documents, for each interconnection, the nature of the information communicated.
CA-3.5 - CCI-002083
The organization reviews and updates Interconnection Security Agreements on an organization-defined frequency.
CA-3.6 - CCI-002084
The organization defines the frequency that reviews and updates to the Interconnection Security Agreements must be conducted.
Related Controls
  1. AC-4 - Information Flow Enforcement
  2. AC-20 - Use Of External Systems
  3. AU-16 - Cross-Organizational Audit Logging
  4. CA-6 - Authorization
  5. IA-3 - Device Identification And Authentication
  6. IR-4 - Incident Handling
  7. PL-2 - System Security And Privacy Plans
  8. PT-7 - Specific Categories Of Personally Identifiable Information
  9. RA-3 - Risk Assessment
  10. SA-9 - External System Services
  11. SC-7 - Boundary Protection
  12. SI-12 - Information Management And Retention
References
  1. Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47., "SP 800-47" https://doi.org/10.6028/NIST.SP.800-47
  2. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  3. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
CA-3(1) - Unclassified National Security System Connections
[Withdrawn: Moved to SC-7(25)].
CA-3(2) - Classified National Security System Connections
[Withdrawn: Moved to SC-7(26)].
CA-3(3) - Unclassified Non-National Security System Connections
[Withdrawn: Moved to SC-7(27)].
CA-3(4) - Connections To Public Networks
[Withdrawn: Moved to SC-7(28)].
CA-3(5) - Restrictions On External System Connections
[Withdrawn: Moved to SC-7(5)].
CA-3(6) - Transfer Authorizations
Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.
CA-3(7) - Transitive Information Exchanges
SECURITY CERTIFICATION
RMF Control
CA-4
Subject Area
ASSESSMENT, AUTHORIZATION, AND MONITORING
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into CA-2].
Assessment Procedures
Related Controls
References
Enhancements
PLAN OF ACTION AND MILESTONES
RMF Control
CA-5
Subject Area
ASSESSMENT, AUTHORIZATION, AND MONITORING
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB.
Instructions
CA-5a.
Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and
CA-5b.
Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.
Assessment Procedures
CA-5.1 - CCI-000264
The organization develops a plan of action and milestones for the information system to document the organizations planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.
CA-5.2 - CCI-000265
The organization defines the frequency to update existing plan of action and milestones for the information system.
CA-5.3 - CCI-000266
The organization updates, on an organization-defined frequency, existing plan of action and milestones based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
Related Controls
  1. CA-2 - Control Assessments
  2. CA-7 - Continuous Monitoring
  3. PM-4 - Plan Of Action And Milestones Process
  4. PM-9 - Risk Management Strategy
  5. RA-7 - Risk Response
  6. SI-2 - Flaw Remediation
  7. SI-12 - Information Management And Retention
References
  1. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
CA-5(1) - Automation Support For Accuracy And Currency
Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using [Assignment: organization-defined automated mechanisms].
AUTHORIZATION
RMF Control
CA-6
Subject Area
ASSESSMENT, AUTHORIZATION, AND MONITORING
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities. Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.
Instructions
CA-6a.
Assign a senior official as the authorizing official for the system;
CA-6b.
Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;
CA-6c.
Ensure that the authorizing official for the system, before commencing operations:
CA-6d.
Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
CA-6e.
Update the authorizations [Assignment: organization-defined frequency].
Assessment Procedures
CA-6.1 - CCI-000270
The organization assigns a senior-level executive or manager as the authorizing official for the information system.
CA-6.2 - CCI-000271
The organization ensures the authorizing official authorizes the information system for processing before commencing operations.
CA-6.4 - CCI-000273
The organization defines the frequency of updating the security authorization.
CA-6.3 - CCI-000272
The organization updates the security authorization on an organization-defined frequency.
Related Controls
  1. CA-2 - Control Assessments
  2. CA-3 - Information Exchange
  3. CA-7 - Continuous Monitoring
  4. PM-9 - Risk Management Strategy
  5. PM-10 - Authorization Process
  6. RA-3 - Risk Assessment
  7. SA-10 - Developer Configuration Management
  8. SI-12 - Information Management And Retention
References
  1. Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137., "SP 800-137" https://doi.org/10.6028/NIST.SP.800-137
  2. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  3. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
CA-6(1) - Joint Authorization — Intra-Organization
Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization.
CA-6(2) - Joint Authorization — Inter-Organization
Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization.
CONTINUOUS MONITORING
RMF Control
CA-7
Subject Area
ASSESSMENT, AUTHORIZATION, AND MONITORING
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions. Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b, and SI-4.
Instructions
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:
CA-7a.
Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics];
CA-7b.
Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;
CA-7c.
Ongoing control assessments in accordance with the continuous monitoring strategy;
CA-7d.
Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
CA-7e.
Correlation and analysis of information generated by control assessments and monitoring;
CA-7f.
Response actions to address results of the analysis of control assessment and monitoring information; and
CA-7g.
Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
Assessment Procedures
CA-7.1 - CCI-000274
The organization develops a continuous monitoring strategy.
CA-7.2 - CCI-002087
The organization establishes and defines the metrics to be monitored for the continuous monitoring program.
CA-7.3 - CCI-002088
The organization establishes and defines the frequencies for continuous monitoring.
CA-7.4 - CCI-002089
The organization establishes and defines the frequencies for assessments supporting continuous monitoring.
CA-7.5 - CCI-000279
The organization implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy.
CA-7.6 - CCI-002090
The organization implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy.
CA-7.7 - CCI-002091
The organization implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring.
CA-7.8 - CCI-002092
The organization implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information.
CA-7.10 - CCI-000281
The organization defines the frequency to report the security status of organization and the information system to organization-defined personnel or roles.
CA-7.11 - CCI-001581
The organization defines personnel or roles to whom the security status of organization and the information system should be reported.
CA-7.9 - CCI-000280
The organization implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles on an organization-defined frequency.
Related Controls
  1. AC-2 - Account Management
  2. AC-6 - Least Privilege
  3. AC-17 - Remote Access
  4. AT-4 - Training Records
  5. AU-6 - Audit Record Review, Analysis, And Reporting
  6. AU-13 - Monitoring For Information Disclosure
  7. CA-2 - Control Assessments
  8. CA-5 - Plan Of Action And Milestones
  9. CA-6 - Authorization
  10. CM-3 - Configuration Change Control
  11. CM-4 - Impact Analyses
  12. CM-6 - Configuration Settings
  13. CM-11 - User-Installed Software
  14. IA-5 - Authenticator Management
  15. IR-5 - Incident Monitoring
  16. MA-2 - Controlled Maintenance
  17. MA-3 - Maintenance Tools
  18. MA-4 - Nonlocal Maintenance
  19. PE-3 - Physical Access Control
  20. PE-6 - Monitoring Physical Access
  21. PE-14 - Environmental Controls
  22. PE-16 - Delivery And Removal
  23. PE-20 - Asset Monitoring And Tracking
  24. PL-2 - System Security And Privacy Plans
  25. PM-4 - Plan Of Action And Milestones Process
  26. PM-6 - Measures Of Performance
  27. PM-9 - Risk Management Strategy
  28. PM-10 - Authorization Process
  29. PM-12 - Insider Threat Program
  30. PM-14 - Testing, Training, And Monitoring
  31. PM-23 - Data Governance Body
  32. PM-28 - Risk Framing
  33. PM-31 - Continuous Monitoring Strategy
  34. PS-7 - External Personnel Security
  35. PT-7 - Specific Categories Of Personally Identifiable Information
  36. RA-3 - Risk Assessment
  37. RA-5 - Vulnerability Monitoring And Scanning
  38. RA-7 - Risk Response
  39. RA-10 - Threat Hunting
  40. SA-8 - Security And Privacy Engineering Principles
  41. SA-9 - External System Services
  42. SA-11 - Developer Testing And Evaluation
  43. SC-5 - Denial-Of-Service Protection
  44. SC-7 - Boundary Protection
  45. SC-18 - Mobile Code
  46. SC-38 - Operations Security
  47. SC-43 - Usage Restrictions
  48. SI-3 - Malicious Code Protection
  49. SI-4 - System Monitoring
  50. SI-12 - Information Management And Retention
  51. SR-6 - Supplier Assessments And Reviews
References
  1. Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062., "IR 8062" https://doi.org/10.6028/NIST.IR.8062
  2. Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137., "SP 800-137" https://doi.org/10.6028/NIST.SP.800-137
  3. Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1., "IR 8011-1" https://doi.org/10.6028/NIST.IR.8011-1
  4. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  5. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  6. Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014., "SP 800-53A" https://doi.org/10.6028/NIST.SP.800-53Ar4
  7. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  8. Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115., "SP 800-115" https://doi.org/10.6028/NIST.SP.800-115
Enhancements
CA-7(1) - Independent Assessment
Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.
CA-7(2) - Types Of Assessments
[Withdrawn: Incorporated into CA-2].
CA-7(3) - Trend Analyses
Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data.
CA-7(4) - Risk Monitoring
Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:
CA-7(5) - Consistency Analysis
Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: [Assignment: organization-defined actions].
CA-7(6) - Automation Support For Monitoring
Ensure the accuracy, currency, and availability of monitoring results for the system using [Assignment: organization-defined automated mechanisms].
PENETRATION TESTING
RMF Control
CA-8
Subject Area
ASSESSMENT, AUTHORIZATION, AND MONITORING
Baseline Areas
HIGH
Description
Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Organizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing.
Instructions
Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined systems or system components].
Assessment Procedures
CA-8.2 - CCI-002094
The organization defines the frequency for conducting penetration testing on organization-defined information systems or system components.
CA-8.3 - CCI-002095
The organization defines the information systems or system components on which penetration testing will be conducted.
CA-8.1 - CCI-002093
The organization conducts penetration testing in accordance with organization-defined frequency on organization-defined information systems or system components.
Related Controls
  1. RA-5 - Vulnerability Monitoring And Scanning
  2. RA-10 - Threat Hunting
  3. SA-11 - Developer Testing And Evaluation
  4. SR-5 - Acquisition Strategies, Tools, And Methods
  5. SR-6 - Supplier Assessments And Reviews
References
Enhancements
CA-8(1) - Independent Penetration Testing Agent Or Team
Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.
CA-8(2) - Red Team Exercises
Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [Assignment: organization-defined red team exercises].
CA-8(3) - Facility Penetration Testing
Employ a penetration testing process that includes [Assignment: organization-defined frequency] [Selection: announced; unannounced] attempts to bypass or circumvent controls associated with physical access points to the facility.
INTERNAL SYSTEM CONNECTIONS
RMF Control
CA-9
Subject Area
ASSESSMENT, AUTHORIZATION, AND MONITORING
Baseline Areas
LOW, MODERATE, HIGH
Description
Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.
Instructions
CA-9a.
Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system;
CA-9b.
Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;
CA-9c.
Terminate internal system connections after [Assignment: organization-defined conditions]; and
CA-9d.
Review [Assignment: organization-defined frequency] the continued need for each internal connection.
Assessment Procedures
CA-9.1 - CCI-002101
The organization authorizes internal connections of organization-defined information system components or classes of components to the information system.
CA-9.2 - CCI-002102
The organization defines the information system components or classes of components that that are authorized internal connections to the information system.
CA-9.3 - CCI-002103
The organization documents, for each internal connection, the interface characteristics.
CA-9.4 - CCI-002104
The organization documents, for each internal connection, the security requirements.
CA-9.5 - CCI-002105
The organization documents, for each internal connection, the nature of the information communicated.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-4 - Information Flow Enforcement
  3. AC-18 - Wireless Access
  4. AC-19 - Access Control For Mobile Devices
  5. CM-2 - Baseline Configuration
  6. IA-3 - Device Identification And Authentication
  7. SC-7 - Boundary Protection
  8. SI-12 - Information Management And Retention
References
  1. Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023., "IR 8023" https://doi.org/10.6028/NIST.IR.8023
  2. Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1., "SP 800-124" https://doi.org/10.6028/NIST.SP.800-124r1
Enhancements
CA-9(1) - Compliance Checks
Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.
POLICY AND PROCEDURES
RMF Control
CM-1
Subject Area
CONFIGURATION MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
CM-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
CM-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and
CM-1c.
Review and update the current configuration management:
Assessment Procedures
CM-1.1 - CCI-001821
The organization defines the organizational personnel or roles to whom the configuration management policy is to be disseminated.
CM-1.2 - CCI-001824
The organization defines the organizational personnel or roles to whom the configuration management procedures are to be disseminated.
CM-1.3 - CCI-000287
The organization develops and documents a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CM-1.4 - CCI-001822
The organization disseminates the configuration management policy to organization defined personnel or roles.
CM-1.5 - CCI-000290
The organization develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.
CM-1.6 - CCI-001825
The organization disseminates to organization defined personnel or roles the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.
CM-1.8 - CCI-000289
The organization reviews and updates, on an organization defined frequency, the configuration management policy.
CM-1.7 - CCI-000286
The organization defines a frequency to review and update the configuration management policies.
CM-1.9 - CCI-000292
The organization reviews and updates, on an organization defined frequency, the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.
CM-1.10 - CCI-001584
The organization defines the frequency to review and update configuration management procedures.
Related Controls
  1. PM-9 - Risk Management Strategy
  2. PS-8 - Personnel Sanctions
  3. SA-8 - Security And Privacy Engineering Principles
  4. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  3. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  4. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
  5. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
BASELINE CONFIGURATION
RMF Control
CM-2
Subject Area
CONFIGURATION MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.
Instructions
CM-2a.
Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
CM-2b.
Review and update the baseline configuration of the system:
Assessment Procedures
CM-2.1 - CCI-000293
The organization develops and documents a current baseline configuration of the information system.
CM-2.2 - CCI-000295
The organization maintains under configuration control, a current baseline configuration of the information system.
Related Controls
  1. AC-19 - Access Control For Mobile Devices
  2. AU-6 - Audit Record Review, Analysis, And Reporting
  3. CA-9 - Internal System Connections
  4. CM-1 - Policy And Procedures
  5. CM-3 - Configuration Change Control
  6. CM-5 - Access Restrictions For Change
  7. CM-6 - Configuration Settings
  8. CM-8 - System Component Inventory
  9. CM-9 - Configuration Management Plan
  10. CP-9 - System Backup
  11. CP-10 - System Recovery And Reconstitution
  12. CP-12 - Safe Mode
  13. MA-2 - Controlled Maintenance
  14. PL-8 - Security And Privacy Architectures
  15. PM-5 - System Inventory
  16. SA-8 - Security And Privacy Engineering Principles
  17. SA-10 - Developer Configuration Management
  18. SA-15 - Development Process, Standards, And Tools
  19. SC-18 - Mobile Code
References
  1. Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019., "SP 800-128" https://doi.org/10.6028/NIST.SP.800-128
  2. Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1., "SP 800-124" https://doi.org/10.6028/NIST.SP.800-124r1
Enhancements
CM-2(1) - Reviews And Updates
[Withdrawn: Incorporated into CM-2].
CM-2(2) - Automation Support For Accuracy And Currency
Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms].
CM-2(3) - Retention Of Previous Configurations
Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback.
CM-2(4) - Unauthorized Software
[Withdrawn: Incorporated into CM-7(4)].
CM-2(5) - Authorized Software
[Withdrawn: Incorporated into CM-7(5)].
CM-2(6) - Development And Test Environments
Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.
CM-2(7) - Configure Systems And Components For High-Risk Areas
CONFIGURATION CHANGE CONTROL
RMF Control
CM-3
Subject Area
CONFIGURATION MANAGEMENT
Baseline Areas
MODERATE, HIGH
Description
Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10.
Instructions
CM-3a.
Determine and document the types of changes to the system that are configuration-controlled;
CM-3b.
Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;
CM-3c.
Document configuration change decisions associated with the system;
CM-3d.
Implement approved configuration-controlled changes to the system;
CM-3e.
Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period];
CM-3f.
Monitor and review activities associated with configuration-controlled changes to the system; and
CM-3g.
Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration change conditions]].
Assessment Procedures
CM-3.1 - CCI-000313
The organization determines the types of changes to the information system that are configuration controlled.
CM-3.3 - CCI-001740
The organization reviews proposed configuration controlled changes to the information system.
CM-3.2 - CCI-000314
The organization approves or disapproves configuration controlled changes to the information system with explicit consideration for security impact analysis.
CM-3.4 - CCI-001741
The organization documents configuration change decisions associated with the information system.
CM-3.5 - CCI-001819
The organization implements approved configuration-controlled changes to the information system.
CM-3.6 - CCI-000316
The organization retains records of configuration-controlled changes to the information system for an organization-defined time period.
CM-3.7 - CCI-002056
The organization defines the time period the record of configuration-controlled changes are to be retained.
CM-3.8 - CCI-000318
The organization audits and reviews activities associated with configuration controlled changes to the system.
CM-3.9 - CCI-000319
The organization coordinates and provides oversight for configuration change control activities through an organization defined configuration change control element (e.g., committee, board) that convenes at the organization defined frequency and/or for any organization defined configuration change conditions.
CM-3.10 - CCI-000320
The organization defines frequency to convene configuration change control element.
CM-3.11 - CCI-000321
The organization defines configuration change conditions that prompt the configuration change control element to convene.
CM-3.12 - CCI-001586
The organization defines the configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities.
Related Controls
  1. CA-7 - Continuous Monitoring
  2. CM-2 - Baseline Configuration
  3. CM-4 - Impact Analyses
  4. CM-5 - Access Restrictions For Change
  5. CM-6 - Configuration Settings
  6. CM-9 - Configuration Management Plan
  7. CM-11 - User-Installed Software
  8. IA-3 - Device Identification And Authentication
  9. MA-2 - Controlled Maintenance
  10. PE-16 - Delivery And Removal
  11. PT-6 - System Of Records Notice
  12. RA-8 - Privacy Impact Assessments
  13. SA-8 - Security And Privacy Engineering Principles
  14. SA-10 - Developer Configuration Management
  15. SC-28 - Protection Of Information At Rest
  16. SC-34 - Non-Modifiable Executable Programs
  17. SC-37 - Out-Of-Band Channels
  18. SI-2 - Flaw Remediation
  19. SI-3 - Malicious Code Protection
  20. SI-4 - System Monitoring
  21. SI-7 - Software, Firmware, And Information Integrity
  22. SI-10 - Information Input Validation
  23. SR-11 - Component Authenticity
References
  1. Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062., "IR 8062" https://doi.org/10.6028/NIST.IR.8062
  2. Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019., "SP 800-128" https://doi.org/10.6028/NIST.SP.800-128
  3. Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1., "SP 800-124" https://doi.org/10.6028/NIST.SP.800-124r1
Enhancements
CM-3(1) - Automated Documentation, Notification, And Prohibition Of Changes
Use [Assignment: organization-defined automated mechanisms] to:
CM-3(2) - Testing, Validation, And Documentation Of Changes
Test, validate, and document changes to the system before finalizing the implementation of the changes.
CM-3(3) - Automated Change Implementation
Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms].
CM-3(4) - Security And Privacy Representatives
Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element].
CM-3(5) - Automated Security Response
Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: [Assignment: organization-defined security responses].
CM-3(6) - Cryptography Management
Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [Assignment: organization-defined controls].
CM-3(7) - Review System Changes
Review changes to the system [Assignment: organization-defined frequency] or when [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.
CM-3(8) - Prevent Or Restrict Configuration Changes
Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances].
IMPACT ANALYSES
RMF Control
CM-4
Subject Area
CONFIGURATION MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required.
Instructions
Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.
Assessment Procedures
CM-4.1 - CCI-000333
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
Related Controls
  1. CA-7 - Continuous Monitoring
  2. CM-3 - Configuration Change Control
  3. CM-8 - System Component Inventory
  4. CM-9 - Configuration Management Plan
  5. MA-2 - Controlled Maintenance
  6. RA-3 - Risk Assessment
  7. RA-5 - Vulnerability Monitoring And Scanning
  8. RA-8 - Privacy Impact Assessments
  9. SA-5 - System Documentation
  10. SA-8 - Security And Privacy Engineering Principles
  11. SA-10 - Developer Configuration Management
  12. SI-2 - Flaw Remediation
References
  1. Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019., "SP 800-128" https://doi.org/10.6028/NIST.SP.800-128
Enhancements
CM-4(1) - Separate Test Environments
Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice.
CM-4(2) - Verification Of Controls
After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.
ACCESS RESTRICTIONS FOR CHANGE
RMF Control
CM-5
Subject Area
CONFIGURATION MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).
Instructions
Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.
Assessment Procedures
CM-5.1 - CCI-000338
The organization defines physical access restrictions associated with changes to the information system.
CM-5.2 - CCI-000339
The organization documents physical access restrictions associated with changes to the information system.
CM-5.3 - CCI-000340
The organization approves physical access restrictions associated with changes to the information system.
CM-5.4 - CCI-000341
The organization enforces physical access restrictions associated with changes to the information system.
CM-5.5 - CCI-000342
The organization defines logical access restrictions associated with changes to the information system.
CM-5.6 - CCI-000343
The organization documents logical access restrictions associated with changes to the information system.
CM-5.7 - CCI-000344
The organization approves logical access restrictions associated with changes to the information system.
CM-5.8 - CCI-000345
The organization enforces logical access restrictions associated with changes to the information system.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-5 - Separation Of Duties
  3. AC-6 - Least Privilege
  4. CM-9 - Configuration Management Plan
  5. PE-3 - Physical Access Control
  6. SC-28 - Protection Of Information At Rest
  7. SC-34 - Non-Modifiable Executable Programs
  8. SC-37 - Out-Of-Band Channels
  9. SI-2 - Flaw Remediation
  10. SI-10 - Information Input Validation
References
  1. National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4., "FIPS 186-4" https://doi.org/10.6028/NIST.FIPS.186-4
  2. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
Enhancements
CM-5(1) - Automated Access Enforcement And Audit Records
CM-5(2) - Review System Changes
[Withdrawn: Incorporated into CM-3(7)].
CM-5(3) - Signed Components
[Withdrawn: Moved to CM-14].
CM-5(4) - Dual Authorization
Enforce dual authorization for implementing changes to [Assignment: organization-defined system components and system-level information].
CM-5(5) - Privilege Limitation For Production And Operation
CM-5(6) - Limit Library Privileges
Limit privileges to change software resident within software libraries.
CM-5(7) - Automatic Implementation Of Security Safeguards
[Withdrawn: Incorporated into SI-7].
CONFIGURATION SETTINGS
RMF Control
CM-6
Subject Area
CONFIGURATION MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system. Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors. Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline USGCB and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.
Instructions
CM-6a.
Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations];
CM-6b.
Implement the configuration settings;
CM-6c.
Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and
CM-6d.
Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.
Assessment Procedures
CM-6.1 - CCI-000363
The organization defines security configuration checklists to be used to establish and document configuration settings for the information system technology products employed.
CM-6.2 - CCI-000364
The organization establishes configuration settings for information technology products employed within the information system using organization-defined security configuration checklists.
CM-6.3 - CCI-000365
The organization documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements.
CM-6.4 - CCI-001588
The organization-defined security configuration checklists reflect the most restrictive mode consistent with operational requirements.
CM-6.5 - CCI-000366
The organization implements the security configuration settings.
CM-6.6 - CCI-000367
The organization identifies any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
CM-6.7 - CCI-000368
The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
CM-6.8 - CCI-000369
The organization approves any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
CM-6.9 - CCI-001755
The organization defines the information system components for which any deviation from the established configuration settings are to be identified, documented and approved.
CM-6.10 - CCI-001756
The organization defines the operational requirements on which the configuration settings for the organization-defined information system components are to be based.
CM-6.11 - CCI-001502
The organization monitors changes to the configuration settings in accordance with organizational policies and procedures.
CM-6.12 - CCI-001503
The organization controls changes to the configuration settings in accordance with organizational policies and procedures.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-19 - Access Control For Mobile Devices
  3. AU-2 - Event Logging
  4. AU-6 - Audit Record Review, Analysis, And Reporting
  5. CA-9 - Internal System Connections
  6. CM-2 - Baseline Configuration
  7. CM-3 - Configuration Change Control
  8. CM-5 - Access Restrictions For Change
  9. CM-7 - Least Functionality
  10. CM-11 - User-Installed Software
  11. CP-7 - Alternate Processing Site
  12. CP-9 - System Backup
  13. CP-10 - System Recovery And Reconstitution
  14. IA-3 - Device Identification And Authentication
  15. IA-5 - Authenticator Management
  16. PL-8 - Security And Privacy Architectures
  17. PL-9 - Central Management
  18. RA-5 - Vulnerability Monitoring And Scanning
  19. SA-4 - Acquisition Process
  20. SA-5 - System Documentation
  21. SA-8 - Security And Privacy Engineering Principles
  22. SA-9 - External System Services
  23. SC-18 - Mobile Code
  24. SC-28 - Protection Of Information At Rest
  25. SC-43 - Usage Restrictions
  26. SI-2 - Flaw Remediation
  27. SI-4 - System Monitoring
  28. SI-6 - Security And Privacy Function Verification
References
  1. Defense Information Systems Agency, ., "DOD STIG" https://public.cyber.mil/stigs
  2. Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019., "SP 800-128" https://doi.org/10.6028/NIST.SP.800-128
  3. National Institute of Standards and Technology (2020) . Available at, "NCPR" https://nvd.nist.gov/ncp/repository
  4. National Institute of Standards and Technology (2020) . Available at, "USGCB" https://csrc.nist.gov/projects/united-states-gover
  5. Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4., "SP 800-70" https://doi.org/10.6028/NIST.SP.800-70r4
  6. Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3., "SP 800-126" https://doi.org/10.6028/NIST.SP.800-126r3
Enhancements
CM-6(1) - Automated Management, Application, And Verification
Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms].
CM-6(2) - Respond To Unauthorized Changes
Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions].
CM-6(3) - Unauthorized Change Detection
[Withdrawn: Incorporated into SI-7].
CM-6(4) - Conformance Demonstration
[Withdrawn: Incorporated into CM-4].
LEAST FUNCTIONALITY
RMF Control
CM-7
Subject Area
CONFIGURATION MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3).
Instructions
CM-7a.
Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
CM-7b.
Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].
Assessment Procedures
CM-7.2 - CCI-000380
The organization defines for the information system prohibited or restricted functions, ports, protocols, and/or services.
CM-7.1 - CCI-000381
The organization configures the information system to provide only essential capabilities.
CM-7.3 - CCI-000382
The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-4 - Information Flow Enforcement
  3. CM-2 - Baseline Configuration
  4. CM-5 - Access Restrictions For Change
  5. CM-6 - Configuration Settings
  6. CM-11 - User-Installed Software
  7. RA-5 - Vulnerability Monitoring And Scanning
  8. SA-4 - Acquisition Process
  9. SA-5 - System Documentation
  10. SA-8 - Security And Privacy Engineering Principles
  11. SA-9 - External System Services
  12. SA-15 - Development Process, Standards, And Tools
  13. SC-2 - Separation Of System And User Functionality
  14. SC-3 - Security Function Isolation
  15. SC-7 - Boundary Protection
  16. SC-37 - Out-Of-Band Channels
  17. SI-4 - System Monitoring
References
  1. National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4., "FIPS 186-4" https://doi.org/10.6028/NIST.FIPS.186-4
  2. National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4., "FIPS 180-4" https://doi.org/10.6028/NIST.FIPS.180-4
  3. National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202., "FIPS 202" https://doi.org/10.6028/NIST.FIPS.202
  4. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
  5. Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167., "SP 800-167" https://doi.org/10.6028/NIST.SP.800-167
Enhancements
CM-7(1) - Periodic Review
CM-7(2) - Prevent Program Execution
Prevent program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].
CM-7(3) - Registration Compliance
Ensure compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services].
CM-7(4) - Unauthorized Software — Deny-By-Exception
CM-7(5) - Authorized Software — Allow-By-Exception
CM-7(6) - Confined Environments With Limited Privileges
Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: [Assignment: organization-defined user-installed software].
CM-7(7) - Code Execution In Protected Environments
Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles] when such code is:
CM-7(8) - Binary Or Machine Executable Code
CM-7(9) - Prohibiting The Use Of Unauthorized Hardware
SYSTEM COMPONENT INVENTORY
RMF Control
CM-8
Subject Area
CONFIGURATION MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location. Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components.
Instructions
CM-8a.
Develop and document an inventory of system components that:
CM-8b.
Review and update the system component inventory [Assignment: organization-defined frequency].
Assessment Procedures
CM-8.1 - CCI-000389
The organization develops and documents an inventory of information system components that accurately reflects the current information system.
CM-8.2 - CCI-000392
The organization develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system.
CM-8.3 - CCI-000395
The organization develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting.
CM-8.4 - CCI-000398
The organization defines information deemed necessary to achieve effective information system component accountability.
CM-8.5 - CCI-000399
The organization develops and documents an inventory of information system components that includes organization defined information deemed necessary to achieve effective information system component accountability.
CM-8.6 - CCI-001779
The organization defines the frequency on which the information system component inventory is to be reviewed and updated
CM-8.7 - CCI-001780
The organization reviews and updates the information system component inventory per organization-defined frequency.
Related Controls
  1. CM-2 - Baseline Configuration
  2. CM-7 - Least Functionality
  3. CM-9 - Configuration Management Plan
  4. CM-10 - Software Usage Restrictions
  5. CM-11 - User-Installed Software
  6. CM-13 - Data Action Mapping
  7. CP-2 - Contingency Plan
  8. CP-9 - System Backup
  9. MA-2 - Controlled Maintenance
  10. MA-6 - Timely Maintenance
  11. PE-20 - Asset Monitoring And Tracking
  12. PL-9 - Central Management
  13. PM-5 - System Inventory
  14. SA-4 - Acquisition Process
  15. SA-5 - System Documentation
  16. SI-2 - Flaw Remediation
  17. SR-4 - Provenance
References
  1. Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5., "SP 800-57-1" https://doi.org/10.6028/NIST.SP.800-57pt1r5
  2. Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1., "SP 800-57-2" https://doi.org/10.6028/NIST.SP.800-57pt2r1
  3. Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1., "SP 800-57-3" https://doi.org/10.6028/NIST.SP.800-57pt3r1
  4. Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3., "IR 8011-3" https://doi.org/10.6028/NIST.IR.8011-3
  5. Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2., "IR 8011-2" https://doi.org/10.6028/NIST.IR.8011-2
  6. Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019., "SP 800-128" https://doi.org/10.6028/NIST.SP.800-128
  7. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
CM-8(1) - Updates During Installation And Removal
Update the inventory of system components as part of component installations, removals, and system updates.
CM-8(2) - Automated Maintenance
Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms].
CM-8(3) - Automated Unauthorized Component Detection
CM-8(4) - Accountability Information
Include in the system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible and accountable for administering those components.
CM-8(5) - No Duplicate Accounting Of Components
[Withdrawn: Incorporated into CM-8].
CM-8(6) - Assessed Configurations And Approved Deviations
Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.
CM-8(7) - Centralized Repository
Provide a centralized repository for the inventory of system components.
CM-8(8) - Automated Location Tracking
Support the tracking of system components by geographic location using [Assignment: organization-defined automated mechanisms].
CM-8(9) - Assignment Of Components To Systems
CONFIGURATION MANAGEMENT PLAN
RMF Control
CM-9
Subject Area
CONFIGURATION MANAGEMENT
Baseline Areas
MODERATE, HIGH
Description
Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities. Configuration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents. Organizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control.
Instructions
Develop, document, and implement a configuration management plan for the system that:
CM-9a.
Addresses roles, responsibilities, and configuration management processes and procedures;
CM-9b.
Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
CM-9c.
Defines the configuration items for the system and places the configuration items under configuration management;
CM-9d.
Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and
CM-9e.
Protects the configuration management plan from unauthorized disclosure and modification.
Assessment Procedures
CM-9.1 - CCI-000421
The organization develops and documents a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures.
CM-9.2 - CCI-000423
The organization implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures.
CM-9.7 - CCI-000424
The organization develops and documents a configuration management plan for the information system that defines the configuration items for the information system.
CM-9.8 - CCI-000426
The organization implements a configuration management plan for the information system that defines the configuration items for the information system.
CM-9.3 - CCI-001790
The organization develops and documents a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle.
CM-9.4 - CCI-001792
The organization implements a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle.
CM-9.5 - CCI-001793
The organization develops and documents a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.
CM-9.6 - CCI-001795
The organization implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.
CM-9.9 - CCI-001796
The organization develops and documents a configuration management plan for the information system that places the configuration items under configuration management.
CM-9.10 - CCI-001798
The organization implements a configuration management plan for the information system that places the configuration items under configuration management.
CM-9.11 - CCI-001799
The organization develops a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification.
CM-9.12 - CCI-001801
The organization implements a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification.
Related Controls
  1. CM-2 - Baseline Configuration
  2. CM-3 - Configuration Change Control
  3. CM-4 - Impact Analyses
  4. CM-5 - Access Restrictions For Change
  5. CM-8 - System Component Inventory
  6. PL-2 - System Security And Privacy Plans
  7. RA-8 - Privacy Impact Assessments
  8. SA-10 - Developer Configuration Management
  9. SI-12 - Information Management And Retention
References
  1. Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019., "SP 800-128" https://doi.org/10.6028/NIST.SP.800-128
Enhancements
CM-9(1) - Assignment Of Responsibility
Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.
SOFTWARE USAGE RESTRICTIONS
RMF Control
CM-10
Subject Area
CONFIGURATION MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements.
Instructions
CM-10a.
Use software and associated documentation in accordance with contract agreements and copyright laws;
CM-10b.
Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
CM-10c.
Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Assessment Procedures
CM-10.1 - CCI-001726
The organization uses software in accordance with contract agreements.
CM-10.2 - CCI-001727
The organization uses software documentation in accordance with contract agreements.
CM-10.3 - CCI-001728
The organization uses software in accordance with copyright laws.
CM-10.4 - CCI-001729
The organization uses software documentation in accordance with copyright laws.
CM-10.5 - CCI-001730
The organization tracks the use of software protected by quantity licenses to control copying of the software.
CM-10.7 - CCI-001802
The organization tracks the use of software documentation protected by quantity licenses to control copying of the software documentation.
CM-10.8 - CCI-001803
The organization tracks the use of software protected by quantity licenses to control distribution of the software.
CM-10.6 - CCI-001731
The organization tracks the use of software documentation protected by quantity licenses to control distribution of the software documentation.
CM-10.9 - CCI-001732
The organization controls the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
CM-10.10 - CCI-001733
The organization documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Related Controls
  1. AC-17 - Remote Access
  2. AU-6 - Audit Record Review, Analysis, And Reporting
  3. CM-7 - Least Functionality
  4. CM-8 - System Component Inventory
  5. PM-30 - Supply Chain Risk Management Strategy
  6. SC-7 - Boundary Protection
References
Enhancements
CM-10(1) - Open-Source Software
Establish the following restrictions on the use of open-source software: [Assignment: organization-defined restrictions].
USER-INSTALLED SOFTWARE
RMF Control
CM-11
Subject Area
CONFIGURATION MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved app stores. Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.
Instructions
CM-11a.
Establish [Assignment: organization-defined policies] governing the installation of software by users;
CM-11b.
Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and
CM-11c.
Monitor policy compliance [Assignment: organization-defined frequency].
Assessment Procedures
CM-11.1 - CCI-001804
The organization defines the policies for governing the installation of software by users.
CM-11.2 - CCI-001805
The organization establishes organization-defined policies governing the installation of software by users.
CM-11.3 - CCI-001806
The organization defines methods to be employed to enforce the software installation policies.
CM-11.4 - CCI-001807
The organization enforces software installation policies through organization-defined methods.
CM-11.5 - CCI-001808
The organization defines the frequency on which it will monitor software installation policy compliance.
CM-11.6 - CCI-001809
The organization monitors software installation policy compliance per organization-defined frequency.
Related Controls
  1. AC-3 - Access Enforcement
  2. AU-6 - Audit Record Review, Analysis, And Reporting
  3. CM-2 - Baseline Configuration
  4. CM-3 - Configuration Change Control
  5. CM-5 - Access Restrictions For Change
  6. CM-6 - Configuration Settings
  7. CM-7 - Least Functionality
  8. CM-8 - System Component Inventory
  9. PL-4 - Rules Of Behavior
  10. SI-4 - System Monitoring
  11. SI-7 - Software, Firmware, And Information Integrity
References
Enhancements
CM-11(1) - Alerts For Unauthorized Installations
[Withdrawn: Incorporated into CM-8(3)].
CM-11(2) - Software Installation With Privileged Status
Allow user installation of software only with explicit privileged status.
CM-11(3) - Automated Enforcement And Monitoring
Enforce and monitor compliance with software installation policies using [Assignment: organization-defined automated mechanisms].
INFORMATION LOCATION
RMF Control
CM-12
Subject Area
CONFIGURATION MANAGEMENT
Baseline Areas
MODERATE, HIGH
Description
Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17).
Instructions
CM-12a.
Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored;
CM-12b.
Identify and document the users who have access to the system and system components where the information is processed and stored; and
CM-12c.
Document changes to the location (i.e., system or system components) where the information is processed and stored.
Assessment Procedures
Related Controls
  1. AC-2 - Account Management
  2. AC-3 - Access Enforcement
  3. AC-4 - Information Flow Enforcement
  4. AC-6 - Least Privilege
  5. AC-23 - Data Mining Protection
  6. CM-8 - System Component Inventory
  7. PM-5 - System Inventory
  8. RA-2 - Security Categorization
  9. SA-4 - Acquisition Process
  10. SA-8 - Security And Privacy Engineering Principles
  11. SA-17 - Developer Security And Privacy Architecture And Design
  12. SC-4 - Information In Shared System Resources
  13. SC-16 - Transmission Of Security And Privacy Attributes
  14. SC-28 - Protection Of Information At Rest
  15. SI-4 - System Monitoring
  16. SI-7 - Software, Firmware, And Information Integrity
References
  1. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  2. Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1., "SP 800-60-1" https://doi.org/10.6028/NIST.SP.800-60v1r1
  3. Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1., "SP 800-60-2" https://doi.org/10.6028/NIST.SP.800-60v2r1
Enhancements
CM-12(1) - Automated Tools To Support Information Location
Use automated tools to identify [Assignment: organization-defined information by information type] on [Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy.
DATA ACTION MAPPING
RMF Control
CM-13
Subject Area
CONFIGURATION MANAGEMENT
Baseline Areas
NOT SELECTED
Description
Data actions are system operations that process personally identifiable information. The processing of such information encompasses the full information life cycle, which includes collection, generation, transformation, use, disclosure, retention, and disposal. A map of system data actions includes discrete data actions, elements of personally identifiable information being processed in the data actions, system components involved in the data actions, and the owners or operators of the system components. Understanding what personally identifiable information is being processed (e.g., the sensitivity of the personally identifiable information), how personally identifiable information is being processed (e.g., if the data action is visible to the individual or is processed in another part of the system), and by whom (e.g., individuals may have different privacy perceptions based on the entity that is processing the personally identifiable information) provides a number of contextual factors that are important to assessing the degree of privacy risk created by the system. Data maps can be illustrated in different ways, and the level of detail may vary based on the mission and business needs of the organization. The data map may be an overlay of any system design artifact that the organization is using. The development of this map may necessitate coordination between the privacy and security programs regarding the covered data actions and the components that are identified as part of the system.
Instructions
Develop and document a map of system data actions.
Assessment Procedures
Related Controls
  1. AC-3 - Access Enforcement
  2. CM-4 - Impact Analyses
  3. CM-12 - Information Location
  4. PM-5 - System Inventory
  5. PM-27 - Privacy Reporting
  6. PT-2 - Authority To Process Personally Identifiable Information
  7. PT-3 - Personally Identifiable Information Processing Purposes
  8. RA-3 - Risk Assessment
  9. RA-8 - Privacy Impact Assessments
References
Enhancements
SIGNED COMPONENTS
RMF Control
CM-14
Subject Area
CONFIGURATION MANAGEMENT
Baseline Areas
NOT SELECTED
Description
Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication.
Instructions
Prevent the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.
Assessment Procedures
Related Controls
  1. CM-7 - Least Functionality
  2. SC-12 - Cryptographic Key Establishment And Management
  3. SC-13 - Cryptographic Protection
  4. SI-7 - Software, Firmware, And Information Integrity
References
  1. Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062., "IR 8062" https://doi.org/10.6028/NIST.IR.8062
Enhancements
POLICY AND PROCEDURES
RMF Control
CP-1
Subject Area
CONTINGENCY PLANNING
Baseline Areas
LOW, MODERATE, HIGH
Description
Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
CP-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
CP-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and
CP-1c.
Review and update the current contingency planning:
Assessment Procedures
CP-1.3 - CCI-002825
The organization defines personnel or roles to whom the contingency planning policy is to be disseminated.
CP-1.1 - CCI-000438
The organization develops and documents a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CP-1.2 - CCI-000439
The organization disseminates a contingency planning policy to organization-defined personnel or roles.
CP-1.6 - CCI-002826
The organization defines personnel or roles to whom the contingency planning procedures are disseminated.
CP-1.4 - CCI-000441
The organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.
CP-1.5 - CCI-001597
The organization disseminates contingency planning procedures to organization-defined personnel or roles.
CP-1.7 - CCI-000437
The organization defines the frequency to review and update the current contingency planning policy.
CP-1.8 - CCI-000440
The organization reviews and updates the current contingency planning policy in accordance with organization-defined frequency.
CP-1.9 - CCI-001596
The organization defines the frequency to review and update the current contingency planning procedures.
CP-1.10 - CCI-001598
The organization reviews and updates the current contingency planning procedures in accordance with the organization-defined frequency.
Related Controls
  1. PM-9 - Risk Management Strategy
  2. PS-8 - Personnel Sanctions
  3. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  3. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  4. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
  5. Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010., "SP 800-34" https://doi.org/10.6028/NIST.SP.800-34r1
  6. Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50., "SP 800-50" https://doi.org/10.6028/NIST.SP.800-50
Enhancements
CONTINGENCY PLAN
RMF Control
CP-2
Subject Area
CONTINGENCY PLANNING
Baseline Areas
LOW, MODERATE, HIGH
Description
Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level. Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in IR-4(5). Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family.
Instructions
CP-2a.
Develop a contingency plan for the system that:
CP-2b.
Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
CP-2c.
Coordinate contingency planning activities with incident handling activities;
CP-2d.
Review the contingency plan for the system [Assignment: organization-defined frequency];
CP-2e.
Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
CP-2f.
Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
CP-2g.
Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and
CP-2h.
Protect the contingency plan from unauthorized disclosure and modification.
Assessment Procedures
CP-2.1 - CCI-000443
The organization develops a contingency plan for the information system that identifies essential missions.
CP-2.2 - CCI-000444
The organization develops a contingency plan for the information system that identifies essential business functions.
CP-2.3 - CCI-000445
The organization develops a contingency plan for the information system that identifies associated contingency requirements.
CP-2.4 - CCI-000446
The organization develops a contingency plan for the information system that provides recovery objectives.
CP-2.5 - CCI-000447
The organization develops a contingency plan for the information system that provides restoration priorities.
CP-2.6 - CCI-000448
The organization develops a contingency plan for the information system that provides metrics.
CP-2.7 - CCI-000449
The organization develops a contingency plan for the information system that addresses contingency roles, responsibilities, assigned individuals with contact information.
CP-2.8 - CCI-000450
The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system disruption.
CP-2.9 - CCI-000451
The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system disruption.
CP-2.10 - CCI-000452
The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system compromise.
CP-2.11 - CCI-000453
The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system compromise.
CP-2.12 - CCI-000454
The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system failure.
CP-2.13 - CCI-000455
The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system failure.
CP-2.14 - CCI-000456
The organization develops a contingency plan for the information system that addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented.
CP-2.15 - CCI-000457
The organization develops a contingency plan for the information system that is reviewed and approved by organization-defined personnel or roles.
CP-2.17 - CCI-000458
The organization defines a list of key contingency personnel (identified by name and/or by role) and organizational elements designated to receive copies of the contingency plan.
CP-2.18 - CCI-000459
The organization distributes copies of the contingency plan to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements.
CP-2.19 - CCI-000460
The organization coordinates contingency planning activities with incident handling activities.
CP-2.20 - CCI-000461
The organization defines the frequency to review the contingency plan for the information system.
CP-2.21 - CCI-000462
The organization reviews the contingency plan for the information system in accordance with organization-defined frequency.
CP-2.22 - CCI-000463
The organization updates the contingency plan to address changes to the organization.
CP-2.23 - CCI-000464
The organization updates the contingency plan to address changes to the information system.
CP-2.24 - CCI-000465
The organization updates the contingency plan to address changes to the environment of operation.
CP-2.25 - CCI-000466
The organization updates the contingency plan to address problems encountered during contingency plan implementation, execution, or testing.
CP-2.26 - CCI-000468
The organization communicates contingency plan changes to organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements.
CP-2.16 - CCI-002830
The organization defines the personnel or roles who review and approve the contingency plan for the information system.
CP-2.27 - CCI-002831
The organization defines a list of key contingency personnel (identified by name and/or by role) and organizational elements to whom contingency plan changes are to be communicated.
CP-2.28 - CCI-002832
The organization protects the contingency plan from unauthorized disclosure and modification.
Related Controls
  1. CP-3 - Contingency Training
  2. CP-4 - Contingency Plan Testing
  3. CP-6 - Alternate Storage Site
  4. CP-7 - Alternate Processing Site
  5. CP-8 - Telecommunications Services
  6. CP-9 - System Backup
  7. CP-10 - System Recovery And Reconstitution
  8. CP-11 - Alternate Communications Protocols
  9. CP-13 - Alternative Security Mechanisms
  10. IR-4 - Incident Handling
  11. IR-6 - Incident Reporting
  12. IR-8 - Incident Response Plan
  13. IR-9 - Information Spillage Response
  14. MA-6 - Timely Maintenance
  15. MP-2 - Media Access
  16. MP-4 - Media Storage
  17. MP-5 - Media Transport
  18. PL-2 - System Security And Privacy Plans
  19. PM-8 - Critical Infrastructure Plan
  20. PM-11 - Mission And Business Process Definition
  21. SA-15 - Development Process, Standards, And Tools
  22. SA-20 - Customized Development Of Critical Components
  23. SC-7 - Boundary Protection
  24. SC-23 - Session Authenticity
  25. SI-12 - Information Management And Retention
References
  1. Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179., "IR 8179" https://doi.org/10.6028/NIST.IR.8179
  2. Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010., "SP 800-34" https://doi.org/10.6028/NIST.SP.800-34r1
Enhancements
CP-2(1) - Coordinate With Related Plans
Coordinate contingency plan development with organizational elements responsible for related plans.
CP-2(2) - Capacity Planning
Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.
CP-2(3) - Resume Mission And Business Functions
Plan for the resumption of [Selection: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation.
CP-2(4) - Resume All Mission And Business Functions
[Withdrawn: Incorporated into CP-2(3)].
CP-2(5) - Continue Mission And Business Functions
Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.
CP-2(6) - Alternate Processing And Storage Sites
Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites.
CP-2(7) - Coordinate With External Service Providers
Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.
CP-2(8) - Identify Critical Assets
Identify critical system assets supporting [Selection: all; essential] mission and business functions.
CONTINGENCY TRAINING
RMF Control
CP-3
Subject Area
CONTINGENCY PLANNING
Baseline Areas
LOW, MODERATE, HIGH
Description
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements.
Instructions
CP-3a.
Provide contingency training to system users consistent with assigned roles and responsibilities:
CP-3b.
Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Assessment Procedures
CP-3.2 - CCI-002833
The organization defines the time period that contingency training is to be provided to information system users consistent with assigned roles and responsibilities within assuming a contingency role or responsibility.
CP-3.1 - CCI-000486
The organization provides contingency training to information system users consistent with assigned roles and responsibilities within an organization-defined time period of assuming a contingency role or responsibility.
CP-3.3 - CCI-002834
The organization provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes.
CP-3.4 - CCI-000485
The organization defines the frequency of refresher contingency training to information system users.
CP-3.5 - CCI-000487
The organization provides refresher contingency training to information system users consistent with assigned roles and responsibilities in accordance with organization-defined frequency.
Related Controls
  1. AT-2 - Literacy Training And Awareness
  2. AT-3 - Role-Based Training
  3. AT-4 - Training Records
  4. CP-2 - Contingency Plan
  5. CP-4 - Contingency Plan Testing
  6. CP-8 - Telecommunications Services
  7. IR-2 - Incident Response Training
  8. IR-4 - Incident Handling
  9. IR-9 - Information Spillage Response
References
  1. Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50., "SP 800-50" https://doi.org/10.6028/NIST.SP.800-50
Enhancements
CP-3(1) - Simulated Events
Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.
CP-3(2) - Mechanisms Used In Training Environments
Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment.
CONTINGENCY PLAN TESTING
RMF Control
CP-4
Subject Area
CONTINGENCY PLANNING
Baseline Areas
LOW, MODERATE, HIGH
Description
Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.
Instructions
CP-4a.
Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests].
CP-4b.
Review the contingency plan test results; and
CP-4c.
Initiate corrective actions, if needed.
Assessment Procedures
CP-4.1 - CCI-000490
The organization defines the frequency to test the contingency plan for the information system.
CP-4.2 - CCI-000492
The organization defines contingency plan tests to be conducted for the information system.
CP-4.3 - CCI-000494
The organization tests the contingency plan for the information system in accordance with organization-defined frequency using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan.
CP-4.4 - CCI-000496
The organization reviews the contingency plan test results.
CP-4.5 - CCI-000497
The organization initiates corrective actions, if needed, after reviewing the contingency plan test results.
Related Controls
  1. AT-3 - Role-Based Training
  2. CP-2 - Contingency Plan
  3. CP-3 - Contingency Training
  4. CP-8 - Telecommunications Services
  5. CP-9 - System Backup
  6. IR-3 - Incident Response Testing
  7. IR-4 - Incident Handling
  8. PL-2 - System Security And Privacy Plans
  9. PM-14 - Testing, Training, And Monitoring
  10. SR-2 - Supply Chain Risk Management Plan
References
  1. Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84., "SP 800-84" https://doi.org/10.6028/NIST.SP.800-84
  2. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  3. Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2., "SP 800-160-2" https://doi.org/10.6028/NIST.SP.800-160v2
  4. Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010., "SP 800-34" https://doi.org/10.6028/NIST.SP.800-34r1
Enhancements
CP-4(1) - Coordinate With Related Plans
Coordinate contingency plan testing with organizational elements responsible for related plans.
CP-4(2) - Alternate Processing Site
Test the contingency plan at the alternate processing site:
CP-4(3) - Automated Testing
Test the contingency plan using [Assignment: organization-defined automated mechanisms].
CP-4(4) - Full Recovery And Reconstitution
Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing.
CP-4(5) - Self-Challenge
Employ [Assignment: organization-defined mechanisms] to [Assignment: organization-defined system or system component] to disrupt and adversely affect the system or system component.
CONTINGENCY PLAN UPDATE
RMF Control
CP-5
Subject Area
CONTINGENCY PLANNING
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into CP-2].
Assessment Procedures
Related Controls
References
Enhancements
ALTERNATE STORAGE SITE
RMF Control
CP-6
Subject Area
CONTINGENCY PLANNING
Baseline Areas
MODERATE, HIGH
Description
Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems.
Instructions
CP-6a.
Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and
CP-6b.
Ensure that the alternate storage site provides controls equivalent to that of the primary site.
Assessment Procedures
CP-6.1 - CCI-000505
The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information.
CP-6.2 - CCI-002836
The organization ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
Related Controls
  1. CP-2 - Contingency Plan
  2. CP-7 - Alternate Processing Site
  3. CP-8 - Telecommunications Services
  4. CP-9 - System Backup
  5. CP-10 - System Recovery And Reconstitution
  6. MP-4 - Media Storage
  7. MP-5 - Media Transport
  8. PE-3 - Physical Access Control
  9. SC-36 - Distributed Processing And Storage
  10. SI-13 - Predictable Failure Prevention
References
  1. Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010., "SP 800-34" https://doi.org/10.6028/NIST.SP.800-34r1
Enhancements
CP-6(1) - Separation From Primary Site
Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.
CP-6(2) - Recovery Time And Recovery Point Objectives
Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.
CP-6(3) - Accessibility
Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.
ALTERNATE PROCESSING SITE
RMF Control
CP-7
Subject Area
CONTINGENCY PLANNING
Baseline Areas
MODERATE, HIGH
Description
Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems.
Instructions
CP-7a.
Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
CP-7b.
Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and
CP-7c.
Provide controls at the alternate processing site that are equivalent to those at the primary site.
Assessment Procedures
CP-7.1 - CCI-000510
The organization defines the time period consistent with recovery time and recovery point objectives for essential missions/business functions to permit the transfer and resumption of organization-defined information system operations at an alternate processing site when the primary processing capabilities are unavailable.
CP-7.2 - CCI-000513
The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions within organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable.
CP-7.3 - CCI-000514
The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential business functions within organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable.
CP-7.5 - CCI-000515
The organization ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption.
CP-7.6 - CCI-000521
The organization ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
CP-7.4 - CCI-002839
The organization defines information system operations that are permitted to transfer and resume at an alternate processing sites for essential missions/business functions when the primary processing capabilities are unavailable.
Related Controls
  1. CP-2 - Contingency Plan
  2. CP-6 - Alternate Storage Site
  3. CP-8 - Telecommunications Services
  4. CP-9 - System Backup
  5. CP-10 - System Recovery And Reconstitution
  6. MA-6 - Timely Maintenance
  7. PE-3 - Physical Access Control
  8. PE-11 - Emergency Power
  9. PE-12 - Emergency Lighting
  10. PE-17 - Alternate Work Site
  11. SC-36 - Distributed Processing And Storage
  12. SI-13 - Predictable Failure Prevention
References
  1. Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010., "SP 800-34" https://doi.org/10.6028/NIST.SP.800-34r1
Enhancements
CP-7(1) - Separation From Primary Site
Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.
CP-7(2) - Accessibility
Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
CP-7(3) - Priority Of Service
Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).
CP-7(4) - Preparation For Use
Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions.
CP-7(5) - Equivalent Information Security Safeguards
[Withdrawn: Incorporated into CP-7].
CP-7(6) - Inability To Return To Primary Site
Plan and prepare for circumstances that preclude returning to the primary processing site.
TELECOMMUNICATIONS SERVICES
RMF Control
CP-8
Subject Area
CONTINGENCY PLANNING
Baseline Areas
MODERATE, HIGH
Description
Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for CP-8. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.
Instructions
Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
Assessment Procedures
CP-8.1 - CCI-000522
The organization defines the time period to permit the resumption of organization-defined information system operations for essential missions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CP-8.2 - CCI-000523
The organization defines the time period to permit the resumption of organization-defined information system operations for essential business functions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CP-8.3 - CCI-000524
The organization establishes alternate telecommunication services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions within organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CP-8.4 - CCI-000525
The organization establishes alternate telecommunication services including necessary agreements to permit the resumption of organization-defined information system operations for essential business functions within organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CP-8.5 - CCI-002840
The organization defines the information system operations to be resumed for essential missions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CP-8.6 - CCI-002841
The organization defines the information system operations to be resumed for essential business functions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
Related Controls
  1. CP-2 - Contingency Plan
  2. CP-6 - Alternate Storage Site
  3. CP-7 - Alternate Processing Site
  4. CP-11 - Alternate Communications Protocols
  5. SC-7 - Boundary Protection
References
  1. Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010., "SP 800-34" https://doi.org/10.6028/NIST.SP.800-34r1
Enhancements
CP-8(1) - Priority Of Service Provisions
CP-8(2) - Single Points Of Failure
Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.
CP-8(3) - Separation Of Primary And Alternate Providers
Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.
CP-8(4) - Provider Contingency Plan
CP-8(5) - Alternate Telecommunication Service Testing
Test alternate telecommunication services [Assignment: organization-defined frequency].
SYSTEM BACKUP
RMF Control
CP-9
Subject Area
CONTINGENCY PLANNING
Baseline Areas
LOW, MODERATE, HIGH
Description
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.
Instructions
CP-9a.
Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
CP-9b.
Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
CP-9c.
Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
CP-9d.
Protect the confidentiality, integrity, and availability of backup information.
Assessment Procedures
CP-9.1 - CCI-000534
The organization defines frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives.
CP-9.2 - CCI-000535
The organization conducts backups of user-level information contained in the information system per organization-defined frequency that is consistent with recovery time and recovery point objectives.
CP-9.3 - CCI-000536
The organization defines frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives.
CP-9.4 - CCI-000537
The organization conducts backups of system-level information contained in the information system per organization-defined frequency that is consistent with recovery time and recovery point objectives.
CP-9.5 - CCI-000538
The organization defines the frequency of conducting information system documentation backups including security-related documentation to support recovery time objectives and recovery point objectives.
CP-9.6 - CCI-000539
The organization conducts backups of information system documentation including security-related documentation per organization-defined frequency that is consistent with recovery time and recovery point objectives.
CP-9.7 - CCI-000540
The organization protects the confidentiality, integrity, and availability of backup information at storage locations.
Related Controls
  1. CP-2 - Contingency Plan
  2. CP-6 - Alternate Storage Site
  3. CP-10 - System Recovery And Reconstitution
  4. MP-4 - Media Storage
  5. MP-5 - Media Transport
  6. SC-8 - Transmission Confidentiality And Integrity
  7. SC-12 - Cryptographic Key Establishment And Management
  8. SC-13 - Cryptographic Protection
  9. SI-4 - System Monitoring
  10. SI-13 - Predictable Failure Prevention
References
  1. Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152., "SP 800-152" https://doi.org/10.6028/NIST.SP.800-152
  2. Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130., "SP 800-130" https://doi.org/10.6028/NIST.SP.800-130
  3. National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4., "FIPS 186-4" https://doi.org/10.6028/NIST.FIPS.186-4
  4. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
  5. Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010., "SP 800-34" https://doi.org/10.6028/NIST.SP.800-34r1
Enhancements
CP-9(1) - Testing For Reliability And Integrity
Test backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.
CP-9(2) - Test Restoration Using Sampling
Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.
CP-9(3) - Separate Storage For Critical Information
Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system.
CP-9(4) - Protection From Unauthorized Modification
[Withdrawn: Incorporated into CP-9].
CP-9(5) - Transfer To Alternate Storage Site
Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives].
CP-9(6) - Redundant Secondary System
Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.
CP-9(7) - Dual Authorization For Deletion Or Destruction
Enforce dual authorization for the deletion or destruction of [Assignment: organization-defined backup information].
CP-9(8) - Cryptographic Protection
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information].
SYSTEM RECOVERY AND RECONSTITUTION
RMF Control
CP-10
Subject Area
CONTINGENCY PLANNING
Baseline Areas
LOW, MODERATE, HIGH
Description
Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning.
Instructions
Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure.
Assessment Procedures
CP-10.1 - CCI-000550
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption.
CP-10.2 - CCI-000551
The organization provides for the recovery and reconstitution of the information system to a known state after a compromise.
CP-10.3 - CCI-000552
The organization provides for the recovery and reconstitution of the information system to a known state after a failure.
Related Controls
  1. CP-2 - Contingency Plan
  2. CP-4 - Contingency Plan Testing
  3. CP-6 - Alternate Storage Site
  4. CP-7 - Alternate Processing Site
  5. CP-9 - System Backup
  6. IR-4 - Incident Handling
  7. SA-8 - Security And Privacy Engineering Principles
  8. SC-24 - Fail In Known State
  9. SI-13 - Predictable Failure Prevention
References
  1. Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010., "SP 800-34" https://doi.org/10.6028/NIST.SP.800-34r1
Enhancements
CP-10(1) - Contingency Plan Testing
[Withdrawn: Incorporated into CP-4].
CP-10(2) - Transaction Recovery
Implement transaction recovery for systems that are transaction-based.
CP-10(3) - Compensating Security Controls
Addressed through tailoring.
CP-10(4) - Restore Within Time Period
Provide the capability to restore system components within [Assignment: organization-defined restoration time periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components.
CP-10(5) - Failover Capability
[Withdrawn: Incorporated into SI-13].
CP-10(6) - Component Protection
Protect system components used for recovery and reconstitution.
ALTERNATE COMMUNICATIONS PROTOCOLS
RMF Control
CP-11
Subject Area
CONTINGENCY PLANNING
Baseline Areas
NOT SELECTED
Description
Contingency plans and the contingency training or testing associated with those plans incorporate an alternate communications protocol capability as part of establishing resilience in organizational systems. Switching communications protocols may affect software applications and operational aspects of systems. Organizations assess the potential side effects of introducing alternate communications protocols prior to implementation.
Instructions
Provide the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations.
Assessment Procedures
CP-11.1 - CCI-002853
The information system provides the capability to employ organization-defined alternative communications protocols in support of maintaining continuity of operations.
CP-11.2 - CCI-002854
The organization defines the alternative communications protocols the information systems must be capable of providing in support of maintaining continuity of operations.
Related Controls
  1. CP-2 - Contingency Plan
  2. CP-8 - Telecommunications Services
  3. CP-13 - Alternative Security Mechanisms
References
Enhancements
SAFE MODE
RMF Control
CP-12
Subject Area
CONTINGENCY PLANNING
Baseline Areas
NOT SELECTED
Description
For systems that support critical mission and business functions—including military operations, civilian space operations, nuclear power plant operations, and air traffic control operations (especially real-time operational environments)—organizations can identify certain conditions under which those systems revert to a predefined safe mode of operation. The safe mode of operation, which can be activated either automatically or manually, restricts the operations that systems can execute when those conditions are encountered. Restriction includes allowing only selected functions to execute that can be carried out under limited power or with reduced communications bandwidth.
Instructions
When [Assignment: organization-defined conditions] are detected, enter a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation].
Assessment Procedures
CP-12.1 - CCI-002855
The information system, when organization-defined conditions are detected, enters a safe mode of operation with organization-defined restrictions of safe mode of operation.
CP-12.2 - CCI-002856
The organization defines the conditions, that when detected, the information system enters a safe mode of operation with organization-defined restrictions of safe mode of operation.
CP-12.3 - CCI-002857
The organization defines the restrictions of safe mode of operation that the information system will enter when organization-defined conditions are detected.
Related Controls
  1. CM-2 - Baseline Configuration
  2. SA-8 - Security And Privacy Engineering Principles
  3. SC-24 - Fail In Known State
  4. SI-13 - Predictable Failure Prevention
  5. SI-17 - Fail-Safe Procedures
References
Enhancements
ALTERNATIVE SECURITY MECHANISMS
RMF Control
CP-13
Subject Area
CONTINGENCY PLANNING
Baseline Areas
NOT SELECTED
Description
Use of alternative security mechanisms supports system resiliency, contingency planning, and continuity of operations. To ensure mission and business continuity, organizations can implement alternative or supplemental security mechanisms. The mechanisms may be less effective than the primary mechanisms. However, having the capability to readily employ alternative or supplemental mechanisms enhances mission and business continuity that might otherwise be adversely impacted if operations had to be curtailed until the primary means of implementing the functions was restored. Given the cost and level of effort required to provide such alternative capabilities, the alternative or supplemental mechanisms are only applied to critical security capabilities provided by systems, system components, or system services. For example, an organization may issue one-time pads to senior executives, officials, and system administrators if multi-factor tokens—the standard means for achieving secure authentication— are compromised.
Instructions
Employ [Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised.
Assessment Procedures
CP-13.1 - CCI-002858
The organization employs organization-defined alternative or supplemental security mechanisms for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised.
CP-13.2 - CCI-002859
The organization defines the alternative or supplemental security mechanisms that will be employed for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised.
CP-13.3 - CCI-002860
The organization defines the security functions that must be satisfied when the primary means of implementing the security function is unavailable or compromised.
Related Controls
  1. CP-2 - Contingency Plan
  2. CP-11 - Alternate Communications Protocols
  3. SI-13 - Predictable Failure Prevention
References
Enhancements
POLICY AND PROCEDURES
RMF Control
IA-1
Subject Area
IDENTIFICATION AND AUTHENTICATION
Baseline Areas
LOW, MODERATE, HIGH
Description
Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
IA-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
IA-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and
IA-1c.
Review and update the current identification and authentication:
Assessment Procedures
IA-1.1 - CCI-001933
The organization defines the personnel or roles to be recipients of the identification and authentication policy and the procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
IA-1.2 - CCI-000756
The organization develops and documents an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
IA-1.3 - CCI-000757
The organization disseminates to organization defined personnel or roles an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
IA-1.4 - CCI-000760
The organization develops and documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
IA-1.5 - CCI-000761
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
IA-1.6 - CCI-000758
The organization reviews and updates identification and authentication policy in accordance with the organization defined frequency.
IA-1.7 - CCI-000759
The organization defines a frequency for reviewing and updating the identification and authentication policy.
IA-1.8 - CCI-000762
The organization reviews and updates identification and authentication procedures in accordance with the organization defined frequency.
IA-1.9 - CCI-000763
The organization defines a frequency for reviewing and updating the identification and authentication procedures.
Related Controls
  1. AC-1 - Policy And Procedures
  2. PM-9 - Risk Management Strategy
  3. PS-8 - Personnel Sanctions
  4. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016., "SP 800-73-4" https://doi.org/10.6028/NIST.SP.800-73-4
  3. Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020., "SP 800-63-3" https://doi.org/10.6028/NIST.SP.800-63-3
  4. Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2., "SP 800-76-2" https://doi.org/10.6028/NIST.SP.800-76-2
  5. Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874., "IR 7874" https://doi.org/10.6028/NIST.IR.7874
  6. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  7. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  8. National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2., "FIPS 201-2" https://doi.org/10.6028/NIST.FIPS.201-2
  9. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
  10. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  11. Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4., "SP 800-78-4" https://doi.org/10.6028/NIST.SP.800-78-4
Enhancements
IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
RMF Control
IA-2
Subject Area
IDENTIFICATION AND AUTHENTICATION
Baseline Areas
LOW, MODERATE, HIGH
Description
Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12. Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks. The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8.
Instructions
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
Assessment Procedures
IA-2.1 - CCI-000764
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
Related Controls
  1. AC-2 - Account Management
  2. AC-3 - Access Enforcement
  3. AC-4 - Information Flow Enforcement
  4. AC-14 - Permitted Actions Without Identification Or Authentication
  5. AC-17 - Remote Access
  6. AC-18 - Wireless Access
  7. AU-1 - Policy And Procedures
  8. AU-6 - Audit Record Review, Analysis, And Reporting
  9. IA-4 - Identifier Management
  10. IA-5 - Authenticator Management
  11. IA-8 - Identification And Authentication (Non-Organizational Users)
  12. MA-4 - Nonlocal Maintenance
  13. MA-5 - Maintenance Personnel
  14. PE-2 - Physical Access Authorizations
  15. PL-4 - Rules Of Behavior
  16. SA-4 - Acquisition Process
  17. SA-8 - Security And Privacy Engineering Principles
References
  1. Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849., "IR 7849" https://doi.org/10.6028/NIST.IR.7849
  2. Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676., "IR 7676" https://doi.org/10.6028/NIST.IR.7676
  3. Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870., "IR 7870" https://doi.org/10.6028/NIST.IR.7870
  4. Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166., "SP 800-166" https://doi.org/10.6028/NIST.SP.800-166
  5. Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016., "SP 800-73-4" https://doi.org/10.6028/NIST.SP.800-73-4
  6. Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539., "IR 7539" https://doi.org/10.6028/NIST.IR.7539
  7. Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817., "IR 7817" https://doi.org/10.6028/NIST.IR.7817
  8. Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2., "SP 800-79-2" https://doi.org/10.6028/NIST.SP.800-79-2
  9. Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156., "SP 800-156" https://doi.org/10.6028/NIST.SP.800-156
  10. Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020., "SP 800-63-3" https://doi.org/10.6028/NIST.SP.800-63-3
  11. Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2., "SP 800-76-2" https://doi.org/10.6028/NIST.SP.800-76-2
  12. Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874., "IR 7874" https://doi.org/10.6028/NIST.IR.7874
  13. National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2., "FIPS 201-2" https://doi.org/10.6028/NIST.FIPS.201-2
  14. National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202., "FIPS 202" https://doi.org/10.6028/NIST.FIPS.202
  15. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
  16. Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4., "SP 800-78-4" https://doi.org/10.6028/NIST.SP.800-78-4
  17. Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966., "IR 7966" https://doi.org/10.6028/NIST.IR.7966
Enhancements
IA-2(1) - Multi-Factor Authentication To Privileged Accounts
Implement multi-factor authentication for access to privileged accounts.
IA-2(2) - Multi-Factor Authentication To Non-Privileged Accounts
Implement multi-factor authentication for access to non-privileged accounts.
IA-2(3) - Local Access To Privileged Accounts
[Withdrawn: Incorporated into IA-2(1)].
IA-2(4) - Local Access To Non-Privileged Accounts
[Withdrawn: Incorporated into IA-2(2)].
IA-2(5) - Individual Authentication With Group Authentication
When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources.
IA-2(6) - Access To Accounts —Separate Device
Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that:
IA-2(7) - Network Access To Non-Privileged Accounts — Separate Device
[Withdrawn: Incorporated into IA-2(6)].
IA-2(8) - Access To Accounts — Replay Resistant
Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts].
IA-2(9) - Network Access To Non-Privileged Accounts — Replay Resistant
[Withdrawn: Incorporated into IA-2(8)].
IA-2(10) - Single Sign-On
Provide a single sign-on capability for [Assignment: organization-defined system accounts and services].
IA-2(11) - Remote Access — Separate Device
[Withdrawn: Incorporated into IA-2(6)].
IA-2(12) - Acceptance Of Piv Credentials
Accept and electronically verify Personal Identity Verification-compliant credentials.
IA-2(13) - Out-Of-Band Authentication
Implement the following out-of-band authentication mechanisms under [Assignment: organization-defined conditions]: [Assignment: organization-defined out-of-band authentication].
DEVICE IDENTIFICATION AND AUTHENTICATION
RMF Control
IA-3
Subject Area
IDENTIFICATION AND AUTHENTICATION
Baseline Areas
MODERATE, HIGH
Description
Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number/type of devices based on mission or business needs.
Instructions
Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.
Assessment Procedures
IA-3.1 - CCI-000777
The organization defines a list of specific and/or types of devices for which identification and authentication is required before establishing a connection to the information system.
IA-3.2 - CCI-000778
The information system uniquely identifies an organization defined list of specific and/or types of devices before establishing a local, remote, or network connection.
IA-3.3 - CCI-001958
The information system authenticates an organization defined list of specific and/or types of devices before establishing a local, remote, or network connection.
Related Controls
  1. AC-17 - Remote Access
  2. AC-18 - Wireless Access
  3. AC-19 - Access Control For Mobile Devices
  4. AU-6 - Audit Record Review, Analysis, And Reporting
  5. CA-3 - Information Exchange
  6. CA-9 - Internal System Connections
  7. IA-4 - Identifier Management
  8. IA-5 - Authenticator Management
  9. IA-9 - Service Identification And Authentication
  10. IA-11 - Re-Authentication
  11. SI-4 - System Monitoring
References
Enhancements
IA-3(1) - Cryptographic Bidirectional Authentication
Authenticate [Assignment: organization-defined devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based.
IA-3(2) - Cryptographic Bidirectional Network Authentication
[Withdrawn: Incorporated into IA-3(1)].
IA-3(3) - Dynamic Address Allocation
IA-3(4) - Device Attestation
Handle device identification and authentication based on attestation by [Assignment: organization-defined configuration management process].
IDENTIFIER MANAGEMENT
RMF Control
IA-4
Subject Area
IDENTIFICATION AND AUTHENTICATION
Baseline Areas
LOW, MODERATE, HIGH
Description
Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.
Instructions
Manage system identifiers by:
IA-4a.
Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, service, or device identifier;
IA-4b.
Selecting an identifier that identifies an individual, group, role, service, or device;
IA-4c.
Assigning the identifier to the intended individual, group, role, service, or device; and
IA-4d.
Preventing reuse of identifiers for [Assignment: organization-defined time period].
Assessment Procedures
IA-4.1 - CCI-001970
The organization defines the personnel or roles that authorize the assignment of individual, group, role, and device identifiers.
IA-4.2 - CCI-001971
The organization manages information system identifiers by receiving authorization from organization-defined personnel or roles to assign an individual, group, role or device identifier.
IA-4.3 - CCI-001972
The organization manages information system identifiers by selecting an identifier that identifies an individual, group, role, or device.
IA-4.4 - CCI-001973
The organization manages information system identifiers by assigning the identifier to the intended individual, group, role, or device.
IA-4.5 - CCI-001974
The organization defines the time period for which the reuse of identifiers is prohibited.
IA-4.6 - CCI-001975
The organization manages information system identifiers by preventing reuse of identifiers for an organization-defined time period.
IA-4.7 - CCI-000794
The organization defines a time period of inactivity after which the identifier is disabled.
IA-4.8 - CCI-000795
The organization manages information system identifiers by disabling the identifier after an organization defined time period of inactivity.
Related Controls
  1. AC-5 - Separation Of Duties
  2. IA-2 - Identification And Authentication (Organizational Users)
  3. IA-3 - Device Identification And Authentication
  4. IA-5 - Authenticator Management
  5. IA-8 - Identification And Authentication (Non-Organizational Users)
  6. IA-9 - Service Identification And Authentication
  7. IA-12 - Identity Proofing
  8. MA-4 - Nonlocal Maintenance
  9. PE-2 - Physical Access Authorizations
  10. PE-3 - Physical Access Control
  11. PE-4 - Access Control For Transmission
  12. PL-4 - Rules Of Behavior
  13. PM-12 - Insider Threat Program
  14. PS-3 - Personnel Screening
  15. PS-4 - Personnel Termination
  16. PS-5 - Personnel Transfer
  17. SC-37 - Out-Of-Band Channels
References
  1. Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016., "SP 800-73-4" https://doi.org/10.6028/NIST.SP.800-73-4
  2. Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020., "SP 800-63-3" https://doi.org/10.6028/NIST.SP.800-63-3
  3. Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2., "SP 800-76-2" https://doi.org/10.6028/NIST.SP.800-76-2
  4. National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2., "FIPS 201-2" https://doi.org/10.6028/NIST.FIPS.201-2
  5. Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4., "SP 800-78-4" https://doi.org/10.6028/NIST.SP.800-78-4
Enhancements
IA-4(1) - Prohibit Account Identifiers As Public Identifiers
Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts.
IA-4(2) - Supervisor Authorization
[Withdrawn: Incorporated into IA-12(1)].
IA-4(3) - Multiple Forms Of Certification
[Withdrawn: Incorporated into IA-12(2)].
IA-4(4) - Identify User Status
Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].
IA-4(5) - Dynamic Management
Manage individual identifiers dynamically in accordance with [Assignment: organization-defined dynamic identifier policy].
IA-4(6) - Cross-Organization Management
Coordinate with the following external organizations for cross-organization management of identifiers: [Assignment: organization-defined external organizations].
IA-4(7) - In-Person Registration
[Withdrawn: Incorporated into IA-12(4)].
IA-4(8) - Pairwise Pseudonymous Identifiers
Generate pairwise pseudonymous identifiers.
IA-4(9) - Attribute Maintenance And Protection
Maintain the attributes for each uniquely identified individual, device, or service in [Assignment: organization-defined protected central storage].
AUTHENTICATOR MANAGEMENT
RMF Control
IA-5
Subject Area
IDENTIFICATION AND AUTHENTICATION
Baseline Areas
LOW, MODERATE, HIGH
Description
Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.
Instructions
Manage system authenticators by:
IA-5a.
Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;
IA-5b.
Establishing initial authenticator content for any authenticators issued by the organization;
IA-5c.
Ensuring that authenticators have sufficient strength of mechanism for their intended use;
IA-5d.
Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;
IA-5e.
Changing default authenticators prior to first use;
IA-5f.
Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;
IA-5g.
Protecting authenticator content from unauthorized disclosure and modification;
IA-5h.
Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and
IA-5i.
Changing authenticators for group or role accounts when membership to those accounts changes.
Assessment Procedures
IA-5.14 - CCI-000180
The organization manages information system authenticators by establishing maximum lifetime restrictions for authenticators.
IA-5.2 - CCI-000176
The organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization.
IA-5.3 - CCI-001544
The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use.
IA-5.7 - CCI-001984
The organization manages information system authenticators by establishing administrative procedures for revoking authenticators.
IA-5.15 - CCI-000181
The organization manages information system authenticators by establishing reuse conditions for authenticators.
IA-5.19 - CCI-000183
The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure.
IA-5.8 - CCI-001985
The organization manages information system authenticators by implementing administrative procedures for initial authenticator distribution.
IA-5.9 - CCI-001986
The organization manages information system authenticators by implementing administrative procedures for lost/compromised authenticators.
IA-5.10 - CCI-001987
The organization manages information system authenticators by implementing administrative procedures for damaged authenticators.
IA-5(5).1 - CCI-001998
The organization manages information system authenticators by implementing administrative procedures for revoking authenticators.
IA-5.5 - CCI-001982
The organization manages information system authenticators by establishing administrative procedures for lost/compromised authenticators.
IA-5.12 - CCI-001989
The organization manages information system authenticators by changing default content of authenticators prior to information system installation.
IA-5.13 - CCI-000179
The organization manages information system authenticators by establishing minimum lifetime restrictions for authenticators.
IA-5.1 - CCI-001980
The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator.
IA-5.4 - CCI-001981
The organization manages information system authenticators by establishing administrative procedures for initial authenticator distribution.
IA-5.16 - CCI-000182
The organization manages information system authenticators by changing/refreshing authenticators in accordance with the organization defined time period by authenticator type.
IA-5.17 - CCI-001610
The organization defines the time period (by authenticator type) for changing/refreshing authenticators.
IA-5.6 - CCI-001983
The organization manages information system authenticators by establishing administrative procedures for damaged authenticators.
IA-5.18 - CCI-002042
The organization manages information system authenticators by protecting authenticator content from unauthorized modification.
IA-5.21 - CCI-002366
The organization manages information system authenticators by having devices implement specific security safeguards to protect authenticators.
IA-5.20 - CCI-002365
The organization manages information system authenticators by requiring individuals to take specific security safeguards to protect authenticators.
IA-5.22 - CCI-001990
The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-6 - Least Privilege
  3. CM-6 - Configuration Settings
  4. IA-2 - Identification And Authentication (Organizational Users)
  5. IA-4 - Identifier Management
  6. IA-7 - Cryptographic Module Authentication
  7. IA-8 - Identification And Authentication (Non-Organizational Users)
  8. IA-9 - Service Identification And Authentication
  9. MA-4 - Nonlocal Maintenance
  10. PE-2 - Physical Access Authorizations
  11. PL-4 - Rules Of Behavior
  12. SC-12 - Cryptographic Key Establishment And Management
  13. SC-13 - Cryptographic Protection
References
  1. Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849., "IR 7849" https://doi.org/10.6028/NIST.IR.7849
  2. Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870., "IR 7870" https://doi.org/10.6028/NIST.IR.7870
  3. Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016., "SP 800-73-4" https://doi.org/10.6028/NIST.SP.800-73-4
  4. Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539., "IR 7539" https://doi.org/10.6028/NIST.IR.7539
  5. Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817., "IR 7817" https://doi.org/10.6028/NIST.IR.7817
  6. Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020., "SP 800-63-3" https://doi.org/10.6028/NIST.SP.800-63-3
  7. Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040., "IR 8040" https://doi.org/10.6028/NIST.IR.8040
  8. Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2., "SP 800-76-2" https://doi.org/10.6028/NIST.SP.800-76-2
  9. National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2., "FIPS 201-2" https://doi.org/10.6028/NIST.FIPS.201-2
  10. National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4., "FIPS 180-4" https://doi.org/10.6028/NIST.FIPS.180-4
  11. National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202., "FIPS 202" https://doi.org/10.6028/NIST.FIPS.202
  12. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
  13. Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4., "SP 800-78-4" https://doi.org/10.6028/NIST.SP.800-78-4
Enhancements
IA-5(1) - Password-Based Authentication
For password-based authentication:
IA-5(2) - Public Key-Based Authentication
IA-5(3) - In-Person Or Trusted External Party Registration
[Withdrawn: Incorporated into IA-12(4)].
IA-5(4) - Automated Support For Password Strength Determination
[Withdrawn: Incorporated into IA-5(1)].
IA-5(5) - Change Authenticators Prior To Delivery
Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation.
IA-5(6) - Protection Of Authenticators
Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.
IA-5(7) - No Embedded Unencrypted Static Authenticators
Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.
IA-5(8) - Multiple System Accounts
Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems.
IA-5(9) - Federated Credential Management
Use the following external organizations to federate credentials: [Assignment: organization-defined external organizations].
IA-5(10) - Dynamic Credential Binding
Bind identities and authenticators dynamically using the following rules: [Assignment: organization-defined binding rules].
IA-5(11) - Hardware Token-Based Authentication
[Withdrawn: Incorporated into IA-2(1), IA-2(2)].
IA-5(12) - Biometric Authentication Performance
For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements [Assignment: organization-defined biometric quality requirements].
IA-5(13) - Expiration Of Cached Authenticators
Prohibit the use of cached authenticators after [Assignment: organization-defined time period].
IA-5(14) - Managing Content Of Pki Trust Stores
For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications.
IA-5(15) - Gsa-Approved Products And Services
Use only General Services Administration-approved products and services for identity, credential, and access management.
IA-5(16) - In-Person Or Trusted External Party Authenticator Issuance
Require that the issuance of [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted external party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].
IA-5(17) - Presentation Attack Detection For Biometric Authenticators
Employ presentation attack detection mechanisms for biometric-based authentication.
IA-5(18) - Password Managers
AUTHENTICATION FEEDBACK
RMF Control
IA-6
Subject Area
IDENTIFICATION AND AUTHENTICATION
Baseline Areas
LOW, MODERATE, HIGH
Description
Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it.
Instructions
Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.
Assessment Procedures
IA-6.1 - CCI-000206
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
Related Controls
  1. AC-3 - Access Enforcement
References
Enhancements
CRYPTOGRAPHIC MODULE AUTHENTICATION
RMF Control
IA-7
Subject Area
IDENTIFICATION AND AUTHENTICATION
Baseline Areas
LOW, MODERATE, HIGH
Description
Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.
Instructions
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.
Assessment Procedures
IA-7.1 - CCI-000803
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Related Controls
  1. AC-3 - Access Enforcement
  2. IA-5 - Authenticator Management
  3. SA-4 - Acquisition Process
  4. SC-12 - Cryptographic Key Establishment And Management
  5. SC-13 - Cryptographic Protection
References
  1. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
Enhancements
IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)
RMF Control
IA-8
Subject Area
IDENTIFICATION AND AUTHENTICATION
Baseline Areas
LOW, MODERATE, HIGH
Description
Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.
Instructions
Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
Assessment Procedures
IA-8.1 - CCI-000804
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
Related Controls
  1. AC-2 - Account Management
  2. AC-6 - Least Privilege
  3. AC-14 - Permitted Actions Without Identification Or Authentication
  4. AC-17 - Remote Access
  5. AC-18 - Wireless Access
  6. AU-6 - Audit Record Review, Analysis, And Reporting
  7. IA-2 - Identification And Authentication (Organizational Users)
  8. IA-4 - Identifier Management
  9. IA-5 - Authenticator Management
  10. IA-10 - Adaptive Authentication
  11. IA-11 - Re-Authentication
  12. MA-4 - Nonlocal Maintenance
  13. RA-3 - Risk Assessment
  14. SA-4 - Acquisition Process
  15. SC-8 - Transmission Confidentiality And Integrity
References
  1. Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062., "IR 8062" https://doi.org/10.6028/NIST.IR.8062
  2. Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2., "SP 800-79-2" https://doi.org/10.6028/NIST.SP.800-79-2
  3. Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1., "SP 800-116" https://doi.org/10.6028/NIST.SP.800-116r1
  4. General Services Administration, ., "FED PKI" https://www.idmanagement.gov/topics/fpki
  5. Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020., "SP 800-63-3" https://doi.org/10.6028/NIST.SP.800-63-3
  6. National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2., "FIPS 201-2" https://doi.org/10.6028/NIST.FIPS.201-2
  7. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
IA-8(1) - Acceptance Of Piv Credentials From Other Agencies
Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.
IA-8(2) - Acceptance Of External Authenticators
IA-8(3) - Use Of Ficam-Approved Products
[Withdrawn: Incorporated into IA-8(2)].
IA-8(4) - Use Of Defined Profiles
Conform to the following profiles for identity management [Assignment: organization-defined identity management profiles].
IA-8(5) - Acceptance Of Piv-I Credentials
Accept and verify federated or PKI credentials that meet [Assignment: organization-defined policy].
IA-8(6) - Disassociability
Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: [Assignment: organization-defined measures].
SERVICE IDENTIFICATION AND AUTHENTICATION
RMF Control
IA-9
Subject Area
IDENTIFICATION AND AUTHENTICATION
Baseline Areas
NOT SELECTED
Description
Services that may require identification and authentication include web applications using digital certificates or services or applications that query a database. Identification and authentication methods for system services and applications include information or code signing, provenance graphs, and electronic signatures that indicate the sources of services. Decisions regarding the validity of identification and authentication claims can be made by services separate from the services acting on those decisions. This can occur in distributed system architectures. In such situations, the identification and authentication decisions (instead of actual identifiers and authentication data) are provided to the services that need to act on those decisions.
Instructions
Uniquely identify and authenticate [Assignment: organization-defined system services and applications] before establishing communications with devices, users, or other services or applications.
Assessment Procedures
IA-9.1 - CCI-002017
The organization defines the information system services requiring identification.
IA-9.2 - CCI-002018
The organization defines the information system services requiring authentication.
IA-9.3 - CCI-002019
The organization defines the security safeguards to be used when identifying information system services.
IA-9.4 - CCI-002020
The organization defines the security safeguards to be used when authenticating information system services.
IA-9.5 - CCI-002021
The organization identifies organization-defined information system services using organization-defined security safeguards.
IA-9.6 - CCI-002022
The organization authenticates organization-defined information system services using organization-defined security safeguards.
Related Controls
  1. IA-3 - Device Identification And Authentication
  2. IA-4 - Identifier Management
  3. IA-5 - Authenticator Management
  4. SC-8 - Transmission Confidentiality And Integrity
References
Enhancements
IA-9(1) - Information Exchange
[Withdrawn: Incorporated into IA-9].
IA-9(2) - Transmission Of Decisions
[Withdrawn: Incorporated into IA-9].
ADAPTIVE AUTHENTICATION
RMF Control
IA-10
Subject Area
IDENTIFICATION AND AUTHENTICATION
Baseline Areas
NOT SELECTED
Description
Adversaries may compromise individual authentication mechanisms employed by organizations and subsequently attempt to impersonate legitimate users. To address this threat, organizations may employ specific techniques or mechanisms and establish protocols to assess suspicious behavior. Suspicious behavior may include accessing information that individuals do not typically access as part of their duties, roles, or responsibilities; accessing greater quantities of information than individuals would routinely access; or attempting to access information from suspicious network addresses. When pre-established conditions or triggers occur, organizations can require individuals to provide additional authentication information. Another potential use for adaptive authentication is to increase the strength of mechanism based on the number or types of records being accessed. Adaptive authentication does not replace and is not used to avoid the use of multi-factor authentication mechanisms but can augment implementations of multi-factor authentication.
Instructions
Require individuals accessing the system to employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations].
Assessment Procedures
IA-10.1 - CCI-002033
The organization defines the specific circumstances or situations when individuals accessing an information system employ organization-defined supplemental authentication techniques or mechanisms.
IA-10.2 - CCI-002034
The organization defines the supplemental authentication techniques or mechanisms to be employed in specific organization-defined circumstances or situations by individuals accessing the information system.
IA-10.3 - CCI-002035
The organization requires that individuals accessing the information system employ organization-defined supplemental authentication techniques or mechanisms under specific organization-defined circumstances or situations.
Related Controls
  1. IA-2 - Identification And Authentication (Organizational Users)
  2. IA-8 - Identification And Authentication (Non-Organizational Users)
References
  1. Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020., "SP 800-63-3" https://doi.org/10.6028/NIST.SP.800-63-3
Enhancements
RE-AUTHENTICATION
RMF Control
IA-11
Subject Area
IDENTIFICATION AND AUTHENTICATION
Baseline Areas
LOW, MODERATE, HIGH
Description
In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically.
Instructions
Require users to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].
Assessment Procedures
IA-11.1 - CCI-002036
The organization defines the circumstances or situations when users will be required to reauthenticate.
IA-11.2 - CCI-002037
The organization defines the circumstances or situations when devices will be required to reauthenticate.
IA-11.3 - CCI-002038
The organization requires users to reauthenticate when organization-defined circumstances or situations requiring reauthentication.
IA-11.4 - CCI-002039
The organization requires devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-11 - Device Lock
  3. IA-2 - Identification And Authentication (Organizational Users)
  4. IA-3 - Device Identification And Authentication
  5. IA-4 - Identifier Management
  6. IA-8 - Identification And Authentication (Non-Organizational Users)
References
Enhancements
IDENTITY PROOFING
RMF Control
IA-12
Subject Area
IDENTIFICATION AND AUTHENTICATION
Baseline Areas
MODERATE, HIGH
Description
Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include SP 800-63-3 and SP 800-63A. Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.
Instructions
IA-12a.
Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;
IA-12b.
Resolve user identities to a unique individual; and
IA-12c.
Collect, validate, and verify identity evidence.
Assessment Procedures
Related Controls
  1. AC-5 - Separation Of Duties
  2. IA-1 - Policy And Procedures
  3. IA-2 - Identification And Authentication (Organizational Users)
  4. IA-3 - Device Identification And Authentication
  5. IA-4 - Identifier Management
  6. IA-5 - Authenticator Management
  7. IA-6 - Authentication Feedback
  8. IA-8 - Identification And Authentication (Non-Organizational Users)
References
  1. Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2., "SP 800-79-2" https://doi.org/10.6028/NIST.SP.800-79-2
  2. Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020., "SP 800-63A" https://doi.org/10.6028/NIST.SP.800-63a
  3. Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020., "SP 800-63-3" https://doi.org/10.6028/NIST.SP.800-63-3
  4. National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2., "FIPS 201-2" https://doi.org/10.6028/NIST.FIPS.201-2
Enhancements
IA-12(1) - Supervisor Authorization
Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization.
IA-12(2) - Identity Evidence
Require evidence of individual identification be presented to the registration authority.
IA-12(3) - Identity Evidence Validation And Verification
Require that the presented identity evidence be validated and verified through [Assignment: organizational defined methods of validation and verification].
IA-12(4) - In-Person Validation And Verification
Require that the validation and verification of identity evidence be conducted in person before a designated registration authority.
IA-12(5) - Address Confirmation
Require that a [Selection: registration code; notice of proofing] be delivered through an out-of-band channel to verify the users address (physical or digital) of record.
IA-12(6) - Accept Externally-Proofed Identities
Accept externally-proofed identities at [Assignment: organization-defined identity assurance level].
POLICY AND PROCEDURES
RMF Control
IR-1
Subject Area
INCIDENT RESPONSE
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
IR-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
IR-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and
IR-1c.
Review and update the current incident response:
Assessment Procedures
IR-1.1 - CCI-002776
The organization defines the personnel or roles to whom the incident response policy is disseminated.
IR-1.2 - CCI-002777
The organization defines the personnel or roles to whom the incident response procedures are disseminated.
IR-1.3 - CCI-000805
The organization develops and documents an incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
IR-1.4 - CCI-000806
The organization disseminates an incident response policy to organization-defined personnel or roles.
IR-1.6 - CCI-000809
The organization develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls.
IR-1.5 - CCI-000810
The organization disseminates incident response procedures to organization-defined personnel or roles.
IR-1.8 - CCI-000808
The organization defines the frequency to review and update the current incident response policy.
IR-1.7 - CCI-000807
The organization reviews and updates the current incident response policy in accordance with organization-defined frequency.
IR-1.10 - CCI-000812
The organization defines the frequency to review and update the current incident response procedures.
IR-1.9 - CCI-000811
The organization reviews and updates the current incident response procedures in accordance with organization-defined frequency.
Related Controls
  1. PM-9 - Risk Management Strategy
  2. PS-8 - Personnel Sanctions
  3. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2., "SP 800-61" https://doi.org/10.6028/NIST.SP.800-61r2
  3. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  4. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  5. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
  6. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  7. Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1., "SP 800-83" https://doi.org/10.6028/NIST.SP.800-83r1
  8. Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50., "SP 800-50" https://doi.org/10.6028/NIST.SP.800-50
Enhancements
INCIDENT RESPONSE TRAINING
RMF Control
IR-2
Subject Area
INCIDENT RESPONSE
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3. Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
Instructions
IR-2a.
Provide incident response training to system users consistent with assigned roles and responsibilities:
IR-2b.
Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Assessment Procedures
IR-2.2 - CCI-002778
The organization defines the time period in which information system users whom assume an incident response role or responsibility receive incident response training.
IR-2.1 - CCI-000813
The organization provides incident response training to information system users consistent with assigned roles and responsibilities within an organization-defined time period of assuming an incident response role or responsibility.
IR-2.5 - CCI-002779
The organization provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes.
IR-2.3 - CCI-000814
The organization provides refresher incident response training in accordance with organization-defined frequency.
IR-2.4 - CCI-000815
The organization defines a frequency for refresher incident response training.
Related Controls
  1. AT-2 - Literacy Training And Awareness
  2. AT-3 - Role-Based Training
  3. AT-4 - Training Records
  4. CP-3 - Contingency Training
  5. IR-3 - Incident Response Testing
  6. IR-4 - Incident Handling
  7. IR-8 - Incident Response Plan
  8. IR-9 - Information Spillage Response
References
  1. Office of Management and Budget Memorandum M-17-12, , January 2017., "OMB M-17-12" https://obamawhitehouse.archives.gov/sites/default
  2. Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50., "SP 800-50" https://doi.org/10.6028/NIST.SP.800-50
Enhancements
IR-2(1) - Simulated Events
Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.
IR-2(2) - Automated Training Environments
Provide an incident response training environment using [Assignment: organization-defined automated mechanisms].
IR-2(3) - Breach
Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach.
INCIDENT RESPONSE TESTING
RMF Control
IR-3
Subject Area
INCIDENT RESPONSE
Baseline Areas
MODERATE, HIGH, PRIVACY
Description
Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes.
Instructions
Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests].
Assessment Procedures
IR-3.1 - CCI-000818
The organization tests the incident response capability for the information system on an organization-defined frequency using organization-defined tests to determine the incident response effectiveness.
IR-3.2 - CCI-000819
The organization defines a frequency for incident response tests.
IR-3.3 - CCI-000820
The organization defines tests for incident response.
IR-3.4 - CCI-001624
The organization documents the results of incident response tests.
Related Controls
  1. CP-3 - Contingency Training
  2. CP-4 - Contingency Plan Testing
  3. IR-2 - Incident Response Training
  4. IR-4 - Incident Handling
  5. IR-8 - Incident Response Plan
  6. PM-14 - Testing, Training, And Monitoring
References
  1. Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84., "SP 800-84" https://doi.org/10.6028/NIST.SP.800-84
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115., "SP 800-115" https://doi.org/10.6028/NIST.SP.800-115
Enhancements
IR-3(1) - Automated Testing
Test the incident response capability using [Assignment: organization-defined automated mechanisms].
IR-3(2) - Coordination With Related Plans
Coordinate incident response testing with organizational elements responsible for related plans.
IR-3(3) - Continuous Improvement
Use qualitative and quantitative data from testing to:
INCIDENT HANDLING
RMF Control
IR-4
Subject Area
INCIDENT RESPONSE
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes.
Instructions
IR-4a.
Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;
IR-4b.
Coordinate incident handling activities with contingency planning activities;
IR-4c.
Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and
IR-4d.
Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.
Assessment Procedures
IR-4.1 - CCI-000822
The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.
IR-4.2 - CCI-000823
The organization coordinates incident handling activities with contingency planning activities.
IR-4.3 - CCI-000824
The organization incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises.
IR-4.4 - CCI-001625
The organization implements the resulting incident handling activity changes to incident response procedures, training and testing/exercise accordingly.
Related Controls
  1. AC-19 - Access Control For Mobile Devices
  2. AU-6 - Audit Record Review, Analysis, And Reporting
  3. AU-7 - Audit Record Reduction And Report Generation
  4. CM-6 - Configuration Settings
  5. CP-2 - Contingency Plan
  6. CP-3 - Contingency Training
  7. CP-4 - Contingency Plan Testing
  8. IR-2 - Incident Response Training
  9. IR-3 - Incident Response Testing
  10. IR-5 - Incident Monitoring
  11. IR-6 - Incident Reporting
  12. IR-8 - Incident Response Plan
  13. PE-6 - Monitoring Physical Access
  14. PL-2 - System Security And Privacy Plans
  15. PM-12 - Insider Threat Program
  16. SA-8 - Security And Privacy Engineering Principles
  17. SC-5 - Denial-Of-Service Protection
  18. SC-7 - Boundary Protection
  19. SI-3 - Malicious Code Protection
  20. SI-4 - System Monitoring
  21. SI-7 - Software, Firmware, And Information Integrity
References
  1. 85 Federal Register 54263 (September 1, 2020), pp 54263-54271., "41 CFR 201" https://www.federalregister.gov/d/2020-18939
  2. Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1., "SP 800-101" https://doi.org/10.6028/NIST.SP.800-101r1
  3. Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184., "SP 800-184" https://doi.org/10.6028/NIST.SP.800-184
  4. Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2., "SP 800-61" https://doi.org/10.6028/NIST.SP.800-61r2
  5. Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150., "SP 800-150" https://doi.org/10.6028/NIST.SP.800-150
  6. Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86., "SP 800-86" https://doi.org/10.6028/NIST.SP.800-86
  7. Office of Management and Budget Memorandum M-17-12, , January 2017., "OMB M-17-12" https://obamawhitehouse.archives.gov/sites/default
  8. Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2., "SP 800-160-2" https://doi.org/10.6028/NIST.SP.800-160v2
  9. Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018., "FASC18" https://www.congress.gov/bill/115th-congress/senat
  10. Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559., "IR 7559" https://doi.org/10.6028/NIST.IR.7559
Enhancements
IR-4(1) - Automated Incident Handling Processes
Support the incident handling process using [Assignment: organization-defined automated mechanisms].
IR-4(2) - Dynamic Reconfiguration
Include the following types of dynamic reconfiguration for [Assignment: organization-defined system components] as part of the incident response capability: [Assignment: organization-defined types of dynamic reconfiguration].
IR-4(3) - Continuity Of Operations
Identify [Assignment: organization-defined classes of incidents] and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: [Assignment: organization-defined actions to take in response to classes of incidents].
IR-4(4) - Information Correlation
Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
IR-4(5) - Automatic Disabling Of System
Implement a configurable capability to automatically disable the system if [Assignment: organization-defined security violations] are detected.
IR-4(6) - Insider Threats
Implement an incident handling capability for incidents involving insider threats.
IR-4(7) - Insider Threats — Intra-Organization Coordination
Coordinate an incident handling capability for insider threats that includes the following organizational entities [Assignment: organization-defined entities].
IR-4(8) - Correlation With External Organizations
Coordinate with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses.
IR-4(9) - Dynamic Response Capability
Employ [Assignment: organization-defined dynamic response capabilities] to respond to incidents.
IR-4(10) - Supply Chain Coordination
Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain.
IR-4(11) - Integrated Incident Response Team
Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period].
IR-4(12) - Malicious Code And Forensic Analysis
Analyze malicious code and/or other residual artifacts remaining in the system after the incident.
IR-4(13) - Behavior Analysis
Analyze anomalous or suspected adversarial behavior in or related to [Assignment: organization-defined environments or resources].
IR-4(14) - Security Operations Center
Establish and maintain a security operations center.
IR-4(15) - Public Relations And Reputation Repair
INCIDENT MONITORING
RMF Control
IR-5
Subject Area
INCIDENT RESPONSE
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. IR-4 provides information on the types of incidents that are appropriate for monitoring.
Instructions
Track and document incidents.
Assessment Procedures
IR-5.1 - CCI-000832
The organization tracks and documents information system security incidents.
Related Controls
  1. AU-6 - Audit Record Review, Analysis, And Reporting
  2. AU-7 - Audit Record Reduction And Report Generation
  3. IR-4 - Incident Handling
  4. IR-6 - Incident Reporting
  5. IR-8 - Incident Response Plan
  6. PE-6 - Monitoring Physical Access
  7. PM-5 - System Inventory
  8. SC-5 - Denial-Of-Service Protection
  9. SC-7 - Boundary Protection
  10. SI-3 - Malicious Code Protection
  11. SI-4 - System Monitoring
  12. SI-7 - Software, Firmware, And Information Integrity
References
  1. Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2., "SP 800-61" https://doi.org/10.6028/NIST.SP.800-61r2
Enhancements
IR-5(1) - Automated Tracking, Data Collection, And Analysis
Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms].
INCIDENT REPORTING
RMF Control
IR-6
Subject Area
INCIDENT RESPONSE
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products.
Instructions
IR-6a.
Require personnel to report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and
IR-6b.
Report incident information to [Assignment: organization-defined authorities].
Assessment Procedures
IR-6.1 - CCI-000834
The organization defines a time period for personnel to report suspected security incidents to the organizational incident response capability.
IR-6.2 - CCI-000835
The organization requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period.
IR-6.3 - CCI-000836
The organization reports security incident information to organization-defined authorities.
IR-6.4 - CCI-002791
The organization defines authorities to whom security incident information is reported.
Related Controls
  1. CM-6 - Configuration Settings
  2. CP-2 - Contingency Plan
  3. IR-4 - Incident Handling
  4. IR-5 - Incident Monitoring
  5. IR-8 - Incident Response Plan
  6. IR-9 - Information Spillage Response
References
  1. 85 Federal Register 54263 (September 1, 2020), pp 54263-54271., "41 CFR 201" https://www.federalregister.gov/d/2020-18939
  2. Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2., "SP 800-61" https://doi.org/10.6028/NIST.SP.800-61r2
  3. Department of Homeland Security, , April 2017., "USCERT IR" https://us-cert.cisa.gov/incident-notification-gui
  4. Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018., "FASC18" https://www.congress.gov/bill/115th-congress/senat
Enhancements
IR-6(1) - Automated Reporting
Report incidents using [Assignment: organization-defined automated mechanisms].
IR-6(2) - Vulnerabilities Related To Incidents
Report system vulnerabilities associated with reported incidents to [Assignment: organization-defined personnel or roles].
IR-6(3) - Supply Chain Coordination
Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.
INCIDENT RESPONSE ASSISTANCE
RMF Control
IR-7
Subject Area
INCIDENT RESPONSE
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required.
Instructions
Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.
Assessment Procedures
IR-7.1 - CCI-000839
The organization provides an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the information system for the handling and reporting of security incidents.
Related Controls
  1. AT-2 - Literacy Training And Awareness
  2. AT-3 - Role-Based Training
  3. IR-4 - Incident Handling
  4. IR-6 - Incident Reporting
  5. IR-8 - Incident Response Plan
  6. PM-22 - Personally Identifiable Information Quality Management
  7. PM-26 - Complaint Management
  8. SA-9 - External System Services
  9. SI-18 - Personally Identifiable Information Quality Operations
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559., "IR 7559" https://doi.org/10.6028/NIST.IR.7559
Enhancements
IR-7(1) - Automation Support For Availability Of Information And Support
Increase the availability of incident response information and support using [Assignment: organization-defined automated mechanisms].
IR-7(2) - Coordination With External Providers
INCIDENT RESPONSE PLAN
RMF Control
IR-8
Subject Area
INCIDENT RESPONSE
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.
Instructions
IR-8a.
Develop an incident response plan that:
IR-8b.
Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
IR-8c.
Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
IR-8d.
Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
IR-8e.
Protect the incident response plan from unauthorized disclosure and modification.
Assessment Procedures
IR-8.1 - CCI-002794
The organization develops an incident response plan.
IR-8.2 - CCI-002795
The organization's incident response plan provides the organization with a roadmap for implementing its incident response capability.
IR-8.3 - CCI-002796
The organization's incident response plan describes the structure and organization of the incident response capability.
IR-8.4 - CCI-002797
The organization's incident response plan provides a high-level approach for how the incident response capability fits into the overall organization.
IR-8.5 - CCI-002798
The organization's incident response plan meets the unique requirements of the organization, which relate to mission, size, structure, and functions.
IR-8.6 - CCI-002799
The organization's incident response plan defines reportable incidents.
IR-8.7 - CCI-002800
The organization's incident response plan provides metrics for measuring the incident response capability within the organization.
IR-8.8 - CCI-002801
The organization's incident response plan defines the resources and management support needed to effectively maintain and mature an incident response capability.
IR-8.9 - CCI-002802
The organization defines personnel or roles to review and approve the incident response plan.
IR-8.10 - CCI-000844
The organization develops an incident response plan that is reviewed and approved by organization-defined personnel or roles.
IR-8.11 - CCI-000845
The organization defines incident response personnel (identified by name and/or by role) and organizational elements to whom copies of the incident response plan is distributed.
IR-8.12 - CCI-000846
The organization distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements.
IR-8.13 - CCI-000847
The organization defines the frequency for reviewing the incident response plan.
IR-8.14 - CCI-000848
The organization reviews the incident response plan on an organization-defined frequency.
IR-8.15 - CCI-000849
The organization updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing.
IR-8.17 - CCI-002803
The organization defines incident response personnel (identified by name and/or by role) and organizational elements to whom the incident response plan changes will be communicated.
IR-8.16 - CCI-000850
The organization communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements.
IR-8.18 - CCI-002804
The organization protects the incident response plan from unauthorized disclosure and modification.
Related Controls
  1. AC-2 - Account Management
  2. CP-2 - Contingency Plan
  3. CP-4 - Contingency Plan Testing
  4. IR-4 - Incident Handling
  5. IR-7 - Incident Response Assistance
  6. IR-9 - Information Spillage Response
  7. PE-6 - Monitoring Physical Access
  8. PL-2 - System Security And Privacy Plans
  9. SA-15 - Development Process, Standards, And Tools
  10. SI-12 - Information Management And Retention
  11. SR-8 - Notification Agreements
References
  1. Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2., "SP 800-61" https://doi.org/10.6028/NIST.SP.800-61r2
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Office of Management and Budget Memorandum M-17-12, , January 2017., "OMB M-17-12" https://obamawhitehouse.archives.gov/sites/default
Enhancements
IR-8(1) - Breaches
Include the following in the Incident Response Plan for breaches involving personally identifiable information:
INFORMATION SPILLAGE RESPONSE
RMF Control
IR-9
Subject Area
INCIDENT RESPONSE
Baseline Areas
NOT SELECTED
Description
Information spillage refers to instances where information is placed on systems that are not authorized to process such information. Information spills occur when information that is thought to be a certain classification or impact level is transmitted to a system and subsequently is determined to be of a higher classification or impact level. At that point, corrective action is required. The nature of the response is based on the classification or impact level of the spilled information, the security capabilities of the system, the specific nature of the contaminated storage media, and the access authorizations of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated.
Instructions
Respond to information spills by:
IR-9a.
Assigning [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills;
IR-9b.
Identifying the specific information involved in the system contamination;
IR-9c.
Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
IR-9d.
Isolating the contaminated system or system component;
IR-9e.
Eradicating the information from the contaminated system or component;
IR-9f.
Identifying other systems or system components that may have been subsequently contaminated; and
IR-9g.
Performing the following additional actions: [Assignment: organization-defined actions].
Assessment Procedures
IR-9.1 - CCI-002805
The organization responds to information spills by identifying the specific information involved in the information system contamination.
IR-9.2 - CCI-002806
The organization responds to information spills by alerting organization-defined personnel or roles of the information spill using a method of communication not associated with the spill.
IR-9.3 - CCI-002807
The organization defines personnel or roles to be alerted of the information spill using a method of communication not associated with the spill.
IR-9.4 - CCI-002808
The organization responds to information spills by isolating the contaminated information system or system component.
IR-9.5 - CCI-002809
The organization responds to information spills by eradicating the information from the contaminated information system or component.
IR-9.6 - CCI-002810
The organization responds to information spills by identifying other information systems or system components that may have been subsequently contaminated.
IR-9.7 - CCI-002811
The organization responds to information spills by performing other organization-defined actions.
IR-9.8 - CCI-002812
The organization defines other actions required to respond to information spills.
Related Controls
  1. CP-2 - Contingency Plan
  2. IR-6 - Incident Reporting
  3. PM-26 - Complaint Management
  4. PM-27 - Privacy Reporting
  5. PT-2 - Authority To Process Personally Identifiable Information
  6. PT-3 - Personally Identifiable Information Processing Purposes
  7. PT-7 - Specific Categories Of Personally Identifiable Information
  8. RA-7 - Risk Response
References
Enhancements
IR-9(1) - Responsible Personnel
[Withdrawn: Incorporated into IR-9].
IR-9(2) - Training
Provide information spillage response training [Assignment: organization-defined frequency].
IR-9(3) - Post-Spill Operations
Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: [Assignment: organization-defined procedures].
IR-9(4) - Exposure To Unauthorized Personnel
Employ the following controls for personnel exposed to information not within assigned access authorizations: [Assignment: organization-defined controls].
INTEGRATED INFORMATION SECURITY ANALYSIS TEAM
RMF Control
IR-10
Subject Area
INCIDENT RESPONSE
Baseline Areas
Description
Instructions
[Withdrawn: Moved to IR-4(11)].
Assessment Procedures
IR-10.1 - CCI-002822
The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.
Related Controls
References
Enhancements
POLICY AND PROCEDURES
RMF Control
MA-1
Subject Area
MAINTENANCE
Baseline Areas
LOW, MODERATE, HIGH
Description
Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
MA-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
MA-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the maintenance policy and procedures; and
MA-1c.
Review and update the current maintenance:
Assessment Procedures
MA-1.1 - CCI-002861
The organization defines the personnel or roles to whom a system maintenance policy is disseminated.
MA-1.2 - CCI-002862
The organization defines the personnel or roles to whom system maintenance procedures are to be disseminated.
MA-1.3 - CCI-000852
The organization develops and documents a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
MA-1.4 - CCI-000853
The organization disseminates to organization-defined personnel or roles a system maintenance policy.
MA-1.5 - CCI-000855
The organization develops and documents procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls.
MA-1.6 - CCI-000856
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls.
MA-1.7 - CCI-000851
The organization defines the frequency to review and update the current system maintenance policy.
MA-1.8 - CCI-000854
The organization reviews and updates the current system maintenance policy in accordance with organization-defined frequency.
MA-1.10 - CCI-001628
The organization defines a frequency to review and update the current system maintenance procedures.
MA-1.9 - CCI-000857
The organization reviews and updates the current system maintenance procedures in accordance with organization-defined frequency.
Related Controls
  1. PM-9 - Risk Management Strategy
  2. PS-8 - Personnel Sanctions
  3. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  3. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  4. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
  5. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
CONTROLLED MAINTENANCE
RMF Control
MA-2
Subject Area
MAINTENANCE
Baseline Areas
LOW, MODERATE, HIGH
Description
Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems.
Instructions
MA-2a.
Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
MA-2b.
Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;
MA-2c.
Require that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;
MA-2d.
Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: [Assignment: organization-defined information];
MA-2e.
Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and
MA-2f.
Include the following information in organizational maintenance records: [Assignment: organization-defined information].
Assessment Procedures
MA-2.5 - CCI-002870
The organization schedules repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements
MA-2.1 - CCI-002866
The organization schedules maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
MA-2.7 - CCI-002872
The organization documents repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
MA-2.3 - CCI-002868
The organization documents maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
MA-2.8 - CCI-002873
The organization reviews records of repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
MA-2.4 - CCI-002869
The organization reviews records of maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
MA-2.6 - CCI-002871
The organization performs repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
MA-2.2 - CCI-002867
The organization performs maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
MA-2.9 - CCI-000859
The organization approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location.
MA-2.11 - CCI-002874
The organization defines the personnel or roles who can explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs.
MA-2.10 - CCI-000860
The organization requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs.
MA-2.12 - CCI-000861
The organization sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs.
MA-2.13 - CCI-000862
The organization checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.
MA-2.15 - CCI-002876
The organization defines the maintenance-related information to include in organizational maintenance records.
MA-2.14 - CCI-002875
The organization includes organization-defined maintenance-related information in organizational maintenance records.
Related Controls
  1. CM-2 - Baseline Configuration
  2. CM-3 - Configuration Change Control
  3. CM-4 - Impact Analyses
  4. CM-5 - Access Restrictions For Change
  5. CM-8 - System Component Inventory
  6. MA-4 - Nonlocal Maintenance
  7. MP-6 - Media Sanitization
  8. PE-16 - Delivery And Removal
  9. SI-2 - Flaw Remediation
  10. SR-3 - Supply Chain Controls And Processes
  11. SR-4 - Provenance
  12. SR-11 - Component Authenticity
References
  1. Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023., "IR 8023" https://doi.org/10.6028/NIST.IR.8023
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
MA-2(1) - Record Content
[Withdrawn: Incorporated into MA-2].
MA-2(2) - Automated Maintenance Activities
MAINTENANCE TOOLS
RMF Control
MA-3
Subject Area
MAINTENANCE
Baseline Areas
MODERATE, HIGH
Description
Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as ping, ls, ipconfig, or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools.
Instructions
MA-3a.
Approve, control, and monitor the use of system maintenance tools; and
MA-3b.
Review previously approved system maintenance tools [Assignment: organization-defined frequency].
Assessment Procedures
MA-3.1 - CCI-000865
The organization approves information system maintenance tools.
MA-3.2 - CCI-000866
The organization controls information system maintenance tools.
MA-3.3 - CCI-000867
The organization monitors information system maintenance tools.
Related Controls
  1. MA-2 - Controlled Maintenance
  2. PE-16 - Delivery And Removal
References
  1. Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1., "SP 800-88" https://doi.org/10.6028/NIST.SP.800-88r1
Enhancements
MA-3(1) - Inspect Tools
Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.
MA-3(2) - Inspect Media
Check media containing diagnostic and test programs for malicious code before the media are used in the system.
MA-3(3) - Prevent Unauthorized Removal
Prevent the removal of maintenance equipment containing organizational information by:
MA-3(4) - Restricted Tool Use
Restrict the use of maintenance tools to authorized personnel only.
MA-3(5) - Execution With Privilege
Monitor the use of maintenance tools that execute with increased privilege.
MA-3(6) - Software Updates And Patches
Inspect maintenance tools to ensure the latest software updates and patches are installed.
NONLOCAL MAINTENANCE
RMF Control
MA-4
Subject Area
MAINTENANCE
Baseline Areas
LOW, MODERATE, HIGH
Description
Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished, in part, by other controls. SP 800-63B provides additional guidance on strong authentication and authenticators.
Instructions
MA-4a.
Approve and monitor nonlocal maintenance and diagnostic activities;
MA-4b.
Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;
MA-4c.
Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;
MA-4d.
Maintain records for nonlocal maintenance and diagnostic activities; and
MA-4e.
Terminate session and network connections when nonlocal maintenance is completed.
Assessment Procedures
MA-4.1 - CCI-000873
The organization approves nonlocal maintenance and diagnostic activities.
MA-4.2 - CCI-000874
The organization monitors nonlocal maintenance and diagnostic activities.
MA-4.3 - CCI-000876
The organization allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system.
MA-4.4 - CCI-000877
The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
MA-4.5 - CCI-000878
The organization maintains records for nonlocal maintenance and diagnostic activities.
MA-4.6 - CCI-000879
The organization terminates sessions and network connections when nonlocal maintenance is completed.
Related Controls
  1. AC-2 - Account Management
  2. AC-3 - Access Enforcement
  3. AC-6 - Least Privilege
  4. AC-17 - Remote Access
  5. AU-2 - Event Logging
  6. AU-3 - Content Of Audit Records
  7. IA-2 - Identification And Authentication (Organizational Users)
  8. IA-4 - Identifier Management
  9. IA-5 - Authenticator Management
  10. IA-8 - Identification And Authentication (Non-Organizational Users)
  11. MA-2 - Controlled Maintenance
  12. MA-5 - Maintenance Personnel
  13. PL-2 - System Security And Privacy Plans
  14. SC-7 - Boundary Protection
  15. SC-10 - Network Disconnect
References
  1. Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020., "SP 800-63-3" https://doi.org/10.6028/NIST.SP.800-63-3
  2. Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1., "SP 800-88" https://doi.org/10.6028/NIST.SP.800-88r1
  3. National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197., "FIPS 197" https://doi.org/10.6028/NIST.FIPS.197
  4. National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2., "FIPS 201-2" https://doi.org/10.6028/NIST.FIPS.201-2
  5. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
Enhancements
MA-4(1) - Logging And Review
MA-4(2) - Document Nonlocal Maintenance
[Withdrawn: Incorporated into MA-1, MA-4].
MA-4(3) - Comparable Security And Sanitization
MA-4(4) - Authentication And Separation Of Maintenance Sessions
Protect nonlocal maintenance sessions by:
MA-4(5) - Approvals And Notifications
MA-4(6) - Cryptographic Protection
Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: [Assignment: organization-defined cryptographic mechanisms].
MA-4(7) - Disconnect Verification
Verify session and network connection termination after the completion of nonlocal maintenance and diagnostic sessions.
MAINTENANCE PERSONNEL
RMF Control
MA-5
Subject Area
MAINTENANCE
Baseline Areas
LOW, MODERATE, HIGH
Description
Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.
Instructions
MA-5a.
Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;
MA-5b.
Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and
MA-5c.
Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
Assessment Procedures
MA-5.1 - CCI-000890
The organization establishes a process for maintenance personnel authorization.
MA-5.2 - CCI-000891
The organization maintains a list of authorized maintenance organizations or personnel.
MA-5.3 - CCI-002894
The organization ensures that non-escorted personnel performing maintenance on the information system have required access authorizations.
MA-5.4 - CCI-002895
The organization designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
Related Controls
  1. AC-2 - Account Management
  2. AC-3 - Access Enforcement
  3. AC-5 - Separation Of Duties
  4. AC-6 - Least Privilege
  5. IA-2 - Identification And Authentication (Organizational Users)
  6. IA-8 - Identification And Authentication (Non-Organizational Users)
  7. MA-4 - Nonlocal Maintenance
  8. MP-2 - Media Access
  9. PE-2 - Physical Access Authorizations
  10. PE-3 - Physical Access Control
  11. PS-7 - External Personnel Security
  12. RA-3 - Risk Assessment
References
Enhancements
MA-5(1) - Individuals Without Appropriate Access
MA-5(2) - Security Clearances For Classified Systems
Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for compartments of information on the system.
MA-5(3) - Citizenship Requirements For Classified Systems
Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens.
MA-5(4) - Foreign Nationals
Ensure that:
MA-5(5) - Non-System Maintenance
Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations.
TIMELY MAINTENANCE
RMF Control
MA-6
Subject Area
MAINTENANCE
Baseline Areas
MODERATE, HIGH
Description
Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place.
Instructions
Obtain maintenance support and/or spare parts for [Assignment: organization-defined system components] within [Assignment: organization-defined time period] of failure.
Assessment Procedures
MA-6.1 - CCI-000903
The organization obtains maintenance support and/or spare parts for organization-defined information system components within an organization-defined time period of failure.
MA-6.2 - CCI-002896
The organization defines the information system components for which it obtains maintenance support and/or spare parts.
MA-6.3 - CCI-002897
The organization defines a time period for obtaining maintenance support and/or spare parts for organization-defined information system components after a failure.
Related Controls
  1. CM-8 - System Component Inventory
  2. CP-2 - Contingency Plan
  3. CP-7 - Alternate Processing Site
  4. RA-7 - Risk Response
  5. SA-15 - Development Process, Standards, And Tools
  6. SI-13 - Predictable Failure Prevention
  7. SR-2 - Supply Chain Risk Management Plan
  8. SR-3 - Supply Chain Controls And Processes
  9. SR-4 - Provenance
References
Enhancements
MA-6(1) - Preventive Maintenance
Perform preventive maintenance on [Assignment: organization-defined system components] at [Assignment: organization-defined time intervals].
MA-6(2) - Predictive Maintenance
Perform predictive maintenance on [Assignment: organization-defined system components] at [Assignment: organization-defined time intervals].
MA-6(3) - Automated Support For Predictive Maintenance
Transfer predictive maintenance data to a maintenance management system using [Assignment: organization-defined automated mechanisms].
FIELD MAINTENANCE
RMF Control
MA-7
Subject Area
MAINTENANCE
Baseline Areas
NOT SELECTED
Description
Field maintenance is the type of maintenance conducted on a system or system component after the system or component has been deployed to a specific site (i.e., operational environment). In certain instances, field maintenance (i.e., local maintenance at the site) may not be executed with the same degree of rigor or with the same quality control checks as depot maintenance. For critical systems designated as such by the organization, it may be necessary to restrict or prohibit field maintenance at the local site and require that such maintenance be conducted in trusted facilities with additional controls.
Instructions
Restrict or prohibit field maintenance on [Assignment: organization-defined systems or system components] to [Assignment: organization-defined trusted maintenance facilities].
Assessment Procedures
Related Controls
  1. MA-2 - Controlled Maintenance
  2. MA-4 - Nonlocal Maintenance
  3. MA-5 - Maintenance Personnel
References
Enhancements
POLICY AND PROCEDURES
RMF Control
MP-1
Subject Area
MEDIA PROTECTION
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
MP-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
MP-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the media protection policy and procedures; and
MP-1c.
Review and update the current media protection:
Assessment Procedures
MP-1.3 - CCI-002566
The organization defines personnel or roles to whom a documented media protection policy and procedures will be disseminated.
MP-1.1 - CCI-000995
The organization develops and documents a media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
MP-1.2 - CCI-000996
The organization disseminates to organization-defined personnel or roles a media protection policy.
MP-1.4 - CCI-000999
The organization develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls.
MP-1.5 - CCI-001000
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the media protection policy and associated media protection controls.
MP-1.7 - CCI-000998
The organization defines a frequency for reviewing and updating the current media protection policy.
MP-1.6 - CCI-000997
The organization reviews and updates the current media protection policy in accordance with organization-defined frequency.
MP-1.9 - CCI-001002
The organization defines a frequency for reviewing and updating the current media protection procedures.
MP-1.8 - CCI-001001
The organization reviews and updates the current media protection procedures in accordance with organization-defined frequency.
Related Controls
  1. PM-9 - Risk Management Strategy
  2. PS-8 - Personnel Sanctions
  3. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  3. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  4. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
  5. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
MEDIA ACCESS
RMF Control
MP-2
Subject Area
MEDIA PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media.
Instructions
Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].
Assessment Procedures
MP-2.1 - CCI-001003
The organization restricts access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles.
MP-2.2 - CCI-001004
The organization defines types of digital and/or non-digital media for which the organization restricts access.
MP-2.3 - CCI-001005
The organization defines personnel or roles to restrict access to organization-defined types of digital and/or non-digital media.
Related Controls
  1. AC-19 - Access Control For Mobile Devices
  2. AU-9 - Protection Of Audit Information
  3. CP-2 - Contingency Plan
  4. CP-9 - System Backup
  5. CP-10 - System Recovery And Reconstitution
  6. MA-5 - Maintenance Personnel
  7. MP-4 - Media Storage
  8. MP-6 - Media Sanitization
  9. PE-2 - Physical Access Authorizations
  10. PE-3 - Physical Access Control
  11. SC-12 - Cryptographic Key Establishment And Management
  12. SC-13 - Cryptographic Protection
  13. SC-34 - Non-Modifiable Executable Programs
  14. SI-12 - Information Management And Retention
References
  1. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111., "SP 800-111" https://doi.org/10.6028/NIST.SP.800-111
Enhancements
MP-2(1) - Automated Restricted Access
[Withdrawn: Incorporated into MP-4(2)].
MP-2(2) - Cryptographic Protection
[Withdrawn: Incorporated into SC-28(1)].
MEDIA MARKING
RMF Control
MP-3
Subject Area
MEDIA PROTECTION
Baseline Areas
MODERATE, HIGH
Description
Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in 32 CFR 2002. Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.
Instructions
MP-3a.
Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
MP-3b.
Exempt [Assignment: organization-defined types of system media] from marking if the media remain within [Assignment: organization-defined controlled areas].
Assessment Procedures
MP-3.1 - CCI-001010
The organization marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information.
MP-3.2 - CCI-001011
The organization exempts organization-defined types of information system media from marking as long as the media remain within organization-defined controlled areas.
MP-3.3 - CCI-001012
The organization defines types of information system media to exempt from marking as long as the media remain within organization-defined controlled areas.
MP-3.4 - CCI-001013
The organization defines controlled areas where organization-defined types of information system media are exempt from being marked.
Related Controls
  1. AC-16 - Security And Privacy Attributes
  2. CP-9 - System Backup
  3. MP-5 - Media Transport
  4. PE-22 - Component Marking
  5. SI-12 - Information Management And Retention
References
  1. Code of Federal Regulations, Title 32, (32 C.F.R. 2002)., "32 CFR 2002" https://www.federalregister.gov/documents/2016/09/
  2. Executive Order 13556, , November 2010., "EO 13556" https://obamawhitehouse.archives.gov/the-press-off
  3. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
Enhancements
MEDIA STORAGE
RMF Control
MP-4
Subject Area
MEDIA PROTECTION
Baseline Areas
MODERATE, HIGH
Description
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection.
Instructions
MP-4a.
Physically control and securely store [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
MP-4b.
Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
Assessment Procedures
MP-4.1 - CCI-001014
The organization physically controls and securely stores organization-defined types of digital and/or non-digital media within organization-defined controlled areas.
MP-4.2 - CCI-001015
The organization defines types of digital and/or non-digital media to physically control and securely store within organization-defined controlled areas.
MP-4.3 - CCI-001016
The organization defines controlled areas where organization-defined types of digital and/or non-digital media are physically controlled and securely stored.
MP-4.4 - CCI-001018
The organization protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
Related Controls
  1. AC-19 - Access Control For Mobile Devices
  2. CP-2 - Contingency Plan
  3. CP-6 - Alternate Storage Site
  4. CP-9 - System Backup
  5. CP-10 - System Recovery And Reconstitution
  6. MP-2 - Media Access
  7. MP-7 - Media Use
  8. PE-3 - Physical Access Control
  9. PL-2 - System Security And Privacy Plans
  10. SC-12 - Cryptographic Key Establishment And Management
  11. SC-13 - Cryptographic Protection
  12. SC-28 - Protection Of Information At Rest
  13. SC-34 - Non-Modifiable Executable Programs
  14. SI-12 - Information Management And Retention
References
  1. Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5., "SP 800-57-1" https://doi.org/10.6028/NIST.SP.800-57pt1r5
  2. Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1., "SP 800-57-2" https://doi.org/10.6028/NIST.SP.800-57pt2r1
  3. Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2., "SP 800-56C" https://doi.org/10.6028/NIST.SP.800-56Cr2
  4. Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3., "SP 800-56A" https://doi.org/10.6028/NIST.SP.800-56Ar3
  5. Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2., "SP 800-56B" https://doi.org/10.6028/NIST.SP.800-56Br2
  6. Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1., "SP 800-57-3" https://doi.org/10.6028/NIST.SP.800-57pt3r1
  7. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  8. Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111., "SP 800-111" https://doi.org/10.6028/NIST.SP.800-111
Enhancements
MP-4(1) - Cryptographic Protection
[Withdrawn: Incorporated into SC-28(1)].
MP-4(2) - Automated Restricted Access
Restrict access to media storage areas and log access attempts and access granted using [Assignment: organization-defined automated mechanisms].
MEDIA TRANSPORT
RMF Control
MP-5
Subject Area
MEDIA PROTECTION
Baseline Areas
MODERATE, HIGH
Description
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.
Instructions
MP-5a.
Protect and control [Assignment: organization-defined types of system media] during transport outside of controlled areas using [Assignment: organization-defined controls];
MP-5b.
Maintain accountability for system media during transport outside of controlled areas;
MP-5c.
Document activities associated with the transport of system media; and
MP-5d.
Restrict the activities associated with the transport of system media to authorized personnel.
Assessment Procedures
MP-5.1 - CCI-001020
The organization protects and controls organization-defined types of information system media during transport outside of controlled areas using organization-defined security safeguards.
MP-5.2 - CCI-001021
The organization defines types of information system media protected and controlled during transport outside of controlled areas.
MP-5.3 - CCI-001022
The organization defines security safeguards to be used to protect and control organization-defined types of information system media during transport outside of controlled areas.
MP-5.4 - CCI-001023
The organization maintains accountability for information system media during transport outside of controlled areas.
MP-5.6 - CCI-001024
The organization restricts the activities associated with the transport of information system media to authorized personnel.
MP-5.5 - CCI-001025
The organization documents activities associated with the transport of information system media.
Related Controls
  1. AC-7 - Unsuccessful Logon Attempts
  2. AC-19 - Access Control For Mobile Devices
  3. CP-2 - Contingency Plan
  4. CP-9 - System Backup
  5. MP-3 - Media Marking
  6. MP-4 - Media Storage
  7. PE-16 - Delivery And Removal
  8. PL-2 - System Security And Privacy Plans
  9. SC-12 - Cryptographic Key Establishment And Management
  10. SC-13 - Cryptographic Protection
  11. SC-28 - Protection Of Information At Rest
  12. SC-34 - Non-Modifiable Executable Programs
References
  1. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  2. Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1., "SP 800-60-1" https://doi.org/10.6028/NIST.SP.800-60v1r1
  3. Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1., "SP 800-60-2" https://doi.org/10.6028/NIST.SP.800-60v2r1
Enhancements
MP-5(1) - Protection Outside Of Controlled Areas
[Withdrawn: Incorporated into MP-5].
MP-5(2) - Documentation Of Activities
[Withdrawn: Incorporated into MP-5].
MP-5(3) - Custodians
Employ an identified custodian during transport of system media outside of controlled areas.
MP-5(4) - Cryptographic Protection
[Withdrawn: Incorporated into SC-28(1)].
MEDIA SANITIZATION
RMF Control
MP-6
Subject Area
MEDIA PROTECTION
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information.
Instructions
MP-6a.
Sanitize [Assignment: organization-defined system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures]; and
MP-6b.
Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
Assessment Procedures
MP-6.1 - CCI-001028
The organization sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques and procedures in accordance with applicable federal and organizational standards and policies.
MP-6.2 - CCI-002578
The organization defines information system media to sanitize prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques and procedures in accordance with applicable federal and organizational standards and policies.
MP-6.3 - CCI-002579
The organization defines the sanitization techniques and procedures in accordance with applicable federal and organization standards and policies to be used to sanitize organization-defined information system media prior to disposal, release out of organizational control, or release for reuse.
MP-6.4 - CCI-002580
The organization employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-7 - Unsuccessful Logon Attempts
  3. AU-11 - Audit Record Retention
  4. MA-2 - Controlled Maintenance
  5. MA-3 - Maintenance Tools
  6. MA-4 - Nonlocal Maintenance
  7. MA-5 - Maintenance Personnel
  8. PM-22 - Personally Identifiable Information Quality Management
  9. SI-12 - Information Management And Retention
  10. SI-18 - Personally Identifiable Information Quality Operations
  11. SI-19 - De-Identification
  12. SR-11 - Component Authenticity
References
  1. Code of Federal Regulations, Title 32, (32 C.F.R. 2002)., "32 CFR 2002" https://www.federalregister.gov/documents/2016/09/
  2. Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023., "IR 8023" https://doi.org/10.6028/NIST.IR.8023
  3. Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1., "SP 800-88" https://doi.org/10.6028/NIST.SP.800-88r1
  4. National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry., "NARA CUI" https://www.archives.gov/cui
  5. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  6. National Security Agency, ., "NSA MEDIA" https://www.nsa.gov/resources/everyone/media-destr
  7. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  8. Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1., "SP 800-124" https://doi.org/10.6028/NIST.SP.800-124r1
  9. Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1., "SP 800-60-1" https://doi.org/10.6028/NIST.SP.800-60v1r1
  10. Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1., "SP 800-60-2" https://doi.org/10.6028/NIST.SP.800-60v2r1
Enhancements
MP-6(1) - Review, Approve, Track, Document, And Verify
Review, approve, track, document, and verify media sanitization and disposal actions.
MP-6(2) - Equipment Testing
Test sanitization equipment and procedures [Assignment: organization-defined frequency] to ensure that the intended sanitization is being achieved.
MP-6(3) - Nondestructive Techniques
Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices].
MP-6(4) - Controlled Unclassified Information
[Withdrawn: Incorporated into MP-6].
MP-6(5) - Classified Information
[Withdrawn: Incorporated into MP-6].
MP-6(6) - Media Destruction
[Withdrawn: Incorporated into MP-6].
MP-6(7) - Dual Authorization
Enforce dual authorization for the sanitization of [Assignment: organization-defined system media].
MP-6(8) - Remote Purging Or Wiping Of Information
Provide the capability to purge or wipe information from [Assignment: organization-defined systems or system components] [Selection: remotely; under the following conditions: [Assignment: organization-defined conditions]].
MEDIA USE
RMF Control
MP-7
Subject Area
MEDIA PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.
Instructions
MP-7a.
[Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and
MP-7b.
Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.
Assessment Procedures
MP-7.1 - CCI-002581
The organization defines the types of information system media to restrict or prohibit on organization-defined information systems or system components using organization-defined security safeguards.
MP-7.2 - CCI-002582
The organization defines the information systems or system components to restrict or prohibit the use of organization-defined types of information system media using organization-defined security safeguards.
MP-7.3 - CCI-002583
The organization defines the security safeguards to use for restricting or prohibiting the use of organization-defined types of information system media on organization-defined information systems or system components.
MP-7.4 - CCI-002584
The organization restricts or prohibits the use of organization-defined types of information system media on organization-defined information systems or system components using organization-defined security safeguards.
Related Controls
  1. AC-19 - Access Control For Mobile Devices
  2. AC-20 - Use Of External Systems
  3. PL-4 - Rules Of Behavior
  4. PM-12 - Insider Threat Program
  5. SC-34 - Non-Modifiable Executable Programs
  6. SC-41 - Port And I/O Device Access
References
  1. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  2. Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111., "SP 800-111" https://doi.org/10.6028/NIST.SP.800-111
Enhancements
MP-7(1) - Prohibit Use Without Owner
[Withdrawn: Incorporated into MP-7].
MP-7(2) - Prohibit Use Of Sanitization-Resistant Media
Prohibit the use of sanitization-resistant media in organizational systems.
MEDIA DOWNGRADING
RMF Control
MP-8
Subject Area
MEDIA PROTECTION
Baseline Areas
NOT SELECTED
Description
Media downgrading applies to digital and non-digital media subject to release outside of the organization, whether the media is considered removable or not. When applied to system media, the downgrading process removes information from the media, typically by security category or classification level, such that the information cannot be retrieved or reconstructed. Downgrading of media includes redacting information to enable wider release and distribution. Downgrading ensures that empty space on the media is devoid of information.
Instructions
MP-8a.
Establish [Assignment: organization-defined system media downgrading process] that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;
MP-8b.
Verify that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
MP-8c.
Identify [Assignment: organization-defined system media requiring downgrading]; and
MP-8d.
Downgrade the identified system media using the established process.
Assessment Procedures
MP-8.5 - CCI-002600
The organization downgrades the identified information system media using the established process.
MP-8.1 - CCI-002596
The organization establishes and defines an information system media downgrading process that includes employing downgrading mechanisms with organization-defined strength and integrity.
MP-8.2 - CCI-002597
The organization defines strength and integrity for downgrading mechanisms to establish an organization-defined information system media downgrading process.
MP-8.3 - CCI-002598
The organization ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information
MP-8.4 - CCI-002599
The organization defines and identifies the information system media requiring downgrading.
Related Controls
References
  1. Code of Federal Regulations, Title 32, (32 C.F.R. 2002)., "32 CFR 2002" https://www.federalregister.gov/documents/2016/09/
  2. National Security Agency, ., "NSA MEDIA" https://www.nsa.gov/resources/everyone/media-destr
Enhancements
MP-8(1) - Documentation Of Process
Document system media downgrading actions.
MP-8(2) - Equipment Testing
Test downgrading equipment and procedures [Assignment: organization-defined frequency] to ensure that downgrading actions are being achieved.
MP-8(3) - Controlled Unclassified Information
Downgrade system media containing controlled unclassified information prior to public release.
MP-8(4) - Classified Information
Downgrade system media containing classified information prior to release to individuals without required access authorizations.
POLICY AND PROCEDURES
RMF Control
PE-1
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
PE-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
PE-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and
PE-1c.
Review and update the current physical and environmental protection:
Assessment Procedures
PE-1.1 - CCI-002908
The organization defines the personnel or roles to whom a physical and environmental protection policy is disseminated.
PE-1.2 - CCI-002909
The organization defines the personnel or roles to whom the physical and environmental protection procedures are disseminated.
PE-1.3 - CCI-000904
The organization develops and documents a physical and environment protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
PE-1.4 - CCI-000905
The organization disseminates a physical and environmental protection policy to organization-defined personnel or roles.
PE-1.5 - CCI-000908
The organization develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls.
PE-1.6 - CCI-000909
The organization disseminates physical and environmental protection procedures to organization-defined personnel or roles.
PE-1.8 - CCI-000907
The organization defines the frequency to review and update the physical and environmental protection policy.
PE-1.7 - CCI-000906
The organization reviews and updates the current physical and environmental protection policy in accordance with organization-defined frequency.
PE-1.10 - CCI-000911
The organization defines the frequency to review and update the physical and environmental protection procedures.
PE-1.9 - CCI-000910
The organization reviews and updates the current physical and environmental protection procedures in accordance with organization-defined frequency.
Related Controls
  1. AT-3 - Role-Based Training
  2. PM-9 - Risk Management Strategy
  3. PS-8 - Personnel Sanctions
  4. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  3. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  4. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
Enhancements
PHYSICAL ACCESS AUTHORIZATIONS
RMF Control
PE-2
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.
Instructions
PE-2a.
Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;
PE-2b.
Issue authorization credentials for facility access;
PE-2c.
Review the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
PE-2d.
Remove individuals from the facility access list when access is no longer required.
Assessment Procedures
PE-2.1 - CCI-000912
The organization develops a list of individuals with authorized access to the facility where the information system resides.
PE-2.2 - CCI-002910
The organization approves a list of individuals with authorized access to the facility where the information system resides.
PE-2.3 - CCI-002911
The organization maintains a list of individuals with authorized access to the facility where the information system resides.
PE-2.4 - CCI-000913
The organization issues authorization credentials for facility access.
PE-2.5 - CCI-000914
The organization reviews the access list detailing authorized facility access by individuals in accordance with organization-defined frequency.
PE-2.6 - CCI-000915
The organization defines the frequency to review the access list detailing authorized facility access by individuals.
PE-2.7 - CCI-001635
The organization removes individuals from the facility access list when access is no longer required.
Related Controls
  1. AT-3 - Role-Based Training
  2. AU-9 - Protection Of Audit Information
  3. IA-4 - Identifier Management
  4. MA-5 - Maintenance Personnel
  5. MP-2 - Media Access
  6. PE-3 - Physical Access Control
  7. PE-4 - Access Control For Transmission
  8. PE-5 - Access Control For Output Devices
  9. PE-8 - Visitor Access Records
  10. PM-12 - Insider Threat Program
  11. PS-3 - Personnel Screening
  12. PS-4 - Personnel Termination
  13. PS-5 - Personnel Transfer
  14. PS-6 - Access Agreements
References
  1. Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016., "SP 800-73-4" https://doi.org/10.6028/NIST.SP.800-73-4
  2. Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2., "SP 800-76-2" https://doi.org/10.6028/NIST.SP.800-76-2
  3. National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2., "FIPS 201-2" https://doi.org/10.6028/NIST.FIPS.201-2
  4. Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4., "SP 800-78-4" https://doi.org/10.6028/NIST.SP.800-78-4
Enhancements
PE-2(1) - Access By Position Or Role
Authorize physical access to the facility where the system resides based on position or role.
PE-2(2) - Two Forms Of Identification
Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: [Assignment: organization-defined list of acceptable forms of identification].
PE-2(3) - Restrict Unescorted Access
Restrict unescorted access to the facility where the system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined physical access authorizations]].
PHYSICAL ACCESS CONTROL
RMF Control
PE-3
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.
Instructions
PE-3a.
Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by:
PE-3b.
Maintain physical access audit logs for [Assignment: organization-defined entry or exit points];
PE-3c.
Control access to areas within the facility designated as publicly accessible by implementing the following controls: [Assignment: organization-defined physical access controls];
PE-3d.
Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity];
PE-3e.
Secure keys, combinations, and other physical access devices;
PE-3f.
Inventory [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
PE-3g.
Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
Assessment Procedures
PE-3.2 - CCI-002915
The organization defines the entry/exit points to the facility where the information system resides.
PE-3.1 - CCI-000919
The organization enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides.
PE-3.3 - CCI-000920
The organization verifies individual access authorizations before granting access to the facility.
PE-3.5 - CCI-002916
The organization defines the physical access control systems/devices or guards that control ingress/egress to the facility.
PE-3.4 - CCI-000921
The organization controls ingress/egress to the facility using one or more organization-defined physical access control systems/devices or guards.
PE-3.7 - CCI-002918
The organization defines entry/exit points that require physical access audit logs be maintained.
PE-3.6 - CCI-002917
The organization maintains physical access audit logs for organization-defined entry/exit points.
PE-3.9 - CCI-002920
The organization defines security safeguards to control access to areas within the facility officially designated as publicly accessible.
PE-3.8 - CCI-002919
The organization provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible.
PE-3.11 - CCI-002922
The organization defines circumstances requiring visitor escorts.
PE-3.10 - CCI-002921
The organization escorts visitors during organization-defined circumstances requiring visitor escorts.
PE-3.13 - CCI-002924
The organization defines circumstances requiring visitor monitoring.
PE-3.12 - CCI-002923
The organization monitors visitor activity during organization-defined circumstances requiring visitor monitoring.
PE-3.14 - CCI-000923
The organization secures keys, combinations, and other physical access devices.
PE-3.17 - CCI-002925
The organization defines the physical access devices to inventory.
PE-3.16 - CCI-000925
The organization defines the frequency for conducting inventories of organization-defined physical access devices.
PE-3.15 - CCI-000924
The organization inventories organization-defined physical access devices every organization-defined frequency.
PE-3.19 - CCI-000927
The organization defines a frequency for changing combinations and keys.
PE-3.18 - CCI-000926
The organization changes combinations and keys in accordance with organization-defined frequency and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
Related Controls
  1. AT-3 - Role-Based Training
  2. AU-2 - Event Logging
  3. AU-6 - Audit Record Review, Analysis, And Reporting
  4. AU-9 - Protection Of Audit Information
  5. AU-13 - Monitoring For Information Disclosure
  6. CP-10 - System Recovery And Reconstitution
  7. IA-3 - Device Identification And Authentication
  8. IA-8 - Identification And Authentication (Non-Organizational Users)
  9. MA-5 - Maintenance Personnel
  10. MP-2 - Media Access
  11. MP-4 - Media Storage
  12. PE-2 - Physical Access Authorizations
  13. PE-4 - Access Control For Transmission
  14. PE-5 - Access Control For Output Devices
  15. PE-8 - Visitor Access Records
  16. PS-2 - Position Risk Designation
  17. PS-3 - Personnel Screening
  18. PS-6 - Access Agreements
  19. PS-7 - External Personnel Security
  20. RA-3 - Risk Assessment
  21. SC-28 - Protection Of Information At Rest
  22. SI-4 - System Monitoring
  23. SR-3 - Supply Chain Controls And Processes
References
  1. Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016., "SP 800-73-4" https://doi.org/10.6028/NIST.SP.800-73-4
  2. Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1., "SP 800-116" https://doi.org/10.6028/NIST.SP.800-116r1
  3. Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2., "SP 800-76-2" https://doi.org/10.6028/NIST.SP.800-76-2
  4. National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2., "FIPS 201-2" https://doi.org/10.6028/NIST.FIPS.201-2
  5. Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4., "SP 800-78-4" https://doi.org/10.6028/NIST.SP.800-78-4
Enhancements
PE-3(1) - System Access
Enforce physical access authorizations to the system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the system].
PE-3(2) - Facility And Systems
Perform security checks [Assignment: organization-defined frequency] at the physical perimeter of the facility or system for exfiltration of information or removal of system components.
PE-3(3) - Continuous Guards
Employ guards to control [Assignment: organization-defined physical access points] to the facility where the system resides 24 hours per day, 7 days per week.
PE-3(4) - Lockable Casings
Use lockable physical casings to protect [Assignment: organization-defined system components] from unauthorized physical access.
PE-3(5) - Tamper Protection
Employ [Assignment: organization-defined anti-tamper technologies] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization-defined hardware components] within the system.
PE-3(6) - Facility Penetration Testing
[Withdrawn: Incorporated into CA-8].
PE-3(7) - Physical Barriers
Limit access using physical barriers.
PE-3(8) - Access Control Vestibules
Employ access control vestibules at [Assignment: organization-defined locations within the facility].
ACCESS CONTROL FOR TRANSMISSION
RMF Control
PE-4
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
MODERATE, HIGH
Description
Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors.
Instructions
Control physical access to [Assignment: organization-defined system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security controls].
Assessment Procedures
PE-4.1 - CCI-000936
The organization controls physical access to organization-defined information system distribution and transmission lines within organizational facilities using organization-defined security safeguards.
PE-4.2 - CCI-002930
The organization defines information system distribution and transmission lines within organizational facilities to control physical access using organization-defined security safeguards.
PE-4.3 - CCI-002931
The organization defines security safeguards to control physical access to organization-defined information system distribution and transmission lines within organizational facilities.
Related Controls
  1. AT-3 - Role-Based Training
  2. IA-4 - Identifier Management
  3. MP-2 - Media Access
  4. MP-4 - Media Storage
  5. PE-2 - Physical Access Authorizations
  6. PE-3 - Physical Access Control
  7. PE-5 - Access Control For Output Devices
  8. PE-9 - Power Equipment And Cabling
  9. SC-7 - Boundary Protection
  10. SC-8 - Transmission Confidentiality And Integrity
References
Enhancements
ACCESS CONTROL FOR OUTPUT DEVICES
RMF Control
PE-5
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
MODERATE, HIGH
Description
Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.
Instructions
Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output.
Assessment Procedures
PE-5.1 - CCI-000937
The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.
Related Controls
  1. PE-2 - Physical Access Authorizations
  2. PE-3 - Physical Access Control
  3. PE-4 - Access Control For Transmission
  4. PE-18 - Location Of System Components
References
  1. Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023., "IR 8023" https://doi.org/10.6028/NIST.IR.8023
Enhancements
PE-5(1) - Access To Output By Authorized Individuals
[Withdrawn: Incorporated into PE-5].
PE-5(2) - Link To Individual Identity
Link individual identity to receipt of output from output devices.
PE-5(3) - Marking Output Devices
[Withdrawn: Incorporated into PE-22].
MONITORING PHYSICAL ACCESS
RMF Control
PE-6
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as AU-2, if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.
Instructions
PE-6a.
Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;
PE-6b.
Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
PE-6c.
Coordinate results of reviews and investigations with the organizational incident response capability.
Assessment Procedures
PE-6.1 - CCI-002939
The organization monitors physical access to the facility where the information system resides to detect and respond to physical security incidents.
PE-6.5 - CCI-000940
The organization defines a frequency for reviewing physical access logs.
PE-6.4 - CCI-000939
The organization reviews physical access logs in accordance with organization-defined frequency.
PE-6.3 - CCI-002941
The organization defines events or potential indications of events requiring review of physical access logs.
PE-6.2 - CCI-002940
The organization reviews physical access logs upon occurrence of organization-defined events or potential indications of events
PE-6.6 - CCI-000941
The organization coordinates results of reviews and investigations with the organizations incident response capability.
Related Controls
  1. AU-2 - Event Logging
  2. AU-6 - Audit Record Review, Analysis, And Reporting
  3. AU-9 - Protection Of Audit Information
  4. AU-12 - Audit Record Generation
  5. CA-7 - Continuous Monitoring
  6. CP-10 - System Recovery And Reconstitution
  7. IR-4 - Incident Handling
  8. IR-8 - Incident Response Plan
References
Enhancements
PE-6(1) - Intrusion Alarms And Surveillance Equipment
Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.
PE-6(2) - Automated Intrusion Recognition And Responses
Recognize [Assignment: organization-defined classes or types of intrusions] and initiate [Assignment: organization-defined response actions] using [Assignment: organization-defined automated mechanisms].
PE-6(3) - Video Surveillance
PE-6(4) - Monitoring Physical Access To Systems
Monitor physical access to the system in addition to the physical access monitoring of the facility at [Assignment: organization-defined physical spaces containing one or more components of the system].
VISITOR CONTROL
RMF Control
PE-7
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into PE-2, PE-3].
Assessment Procedures
Related Controls
References
Enhancements
VISITOR ACCESS RECORDS
RMF Control
PE-8
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.
Instructions
PE-8a.
Maintain visitor access records to the facility where the system resides for [Assignment: organization-defined time period];
PE-8b.
Review visitor access records [Assignment: organization-defined frequency]; and
PE-8c.
Report anomalies in visitor access records to [Assignment: organization-defined personnel].
Assessment Procedures
PE-8.2 - CCI-002952
The organization defines the time period to maintain visitor access records to the facility where the information system resides.
PE-8.1 - CCI-000947
The organization maintains visitor access records to the facility where the information system resides for organization-defined time period.
PE-8.4 - CCI-000949
The organization defines the frequency to review the visitor access records for the facility where the information system resides.
PE-8.3 - CCI-000948
The organization reviews visitor access records in accordance with organization-defined frequency.
Related Controls
  1. PE-2 - Physical Access Authorizations
  2. PE-3 - Physical Access Control
  3. PE-6 - Monitoring Physical Access
References
Enhancements
PE-8(1) - Automated Records Maintenance And Review
Maintain and review visitor access records using [Assignment: organization-defined automated mechanisms].
PE-8(2) - Physical Access Records
[Withdrawn: Incorporated into PE-2].
PE-8(3) - Limit Personally Identifiable Information Elements
Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements].
POWER EQUIPMENT AND CABLING
RMF Control
PE-9
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
MODERATE, HIGH
Description
Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems.
Instructions
Protect power equipment and power cabling for the system from damage and destruction.
Assessment Procedures
PE-9.1 - CCI-000952
The organization protects power equipment and power cabling for the information system from damage and destruction.
Related Controls
  1. PE-4 - Access Control For Transmission
References
Enhancements
PE-9(1) - Redundant Cabling
Employ redundant power cabling paths that are physically separated by [Assignment: organization-defined distance].
PE-9(2) - Automatic Voltage Controls
Employ automatic voltage controls for [Assignment: organization-defined critical system components].
EMERGENCY SHUTOFF
RMF Control
PE-10
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
MODERATE, HIGH
Description
Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery.
Instructions
PE-10a.
Provide the capability of shutting off power to [Assignment: organization-defined system or individual system components] in emergency situations;
PE-10b.
Place emergency shutoff switches or devices in [Assignment: organization-defined location by system or system component] to facilitate access for authorized personnel; and
PE-10c.
Protect emergency power shutoff capability from unauthorized activation.
Assessment Procedures
PE-10.1 - CCI-000956
The organization provides the capability of shutting off power to the information system or individual system components in emergency situations.
PE-10.2 - CCI-000957
The organization places emergency shutoff switches or devices in an organization-defined location by information system or system component to facilitate safe and easy access for personnel.
PE-10.3 - CCI-000958
The organization defines a location for emergency shutoff switches or devices by information system or system component.
PE-10.4 - CCI-000959
The organization protects emergency power shutoff capability from unauthorized activation.
Related Controls
  1. PE-15 - Water Damage Protection
References
Enhancements
PE-10(1) - Accidental And Unauthorized Activation
[Withdrawn: Incorporated into PE-10].
EMERGENCY POWER
RMF Control
PE-11
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
MODERATE, HIGH
Description
An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system.
Instructions
Provide an uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the system; transition of the system to long-term alternate power] in the event of a primary power source loss.
Assessment Procedures
PE-11.1 - CCI-002955
The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system and/or transition of the information system to long-term alternate power in the event of a primary power source loss.
Related Controls
  1. AT-3 - Role-Based Training
  2. CP-2 - Contingency Plan
  3. CP-7 - Alternate Processing Site
References
Enhancements
PE-11(1) - Alternate Power Supply — Minimal Operational Capability
Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that can maintain minimally required operational capability in the event of an extended loss of the primary power source.
PE-11(2) - Alternate Power Supply — Self-Contained
Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that is:
EMERGENCY LIGHTING
RMF Control
PE-12
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies.
Instructions
Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
Assessment Procedures
PE-12.1 - CCI-000963
The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
Related Controls
  1. CP-2 - Contingency Plan
  2. CP-7 - Alternate Processing Site
References
Enhancements
PE-12(1) - Essential Mission And Business Functions
Provide emergency lighting for all areas within the facility supporting essential mission and business functions.
FIRE PROTECTION
RMF Control
PE-13
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility.
Instructions
Employ and maintain fire detection and suppression systems that are supported by an independent energy source.
Assessment Procedures
PE-13.1 - CCI-000965
The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.
Related Controls
  1. AT-3 - Role-Based Training
References
Enhancements
PE-13(1) - Detection Systems — Automatic Activation And Notification
Employ fire detection systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.
PE-13(2) - Suppression Systems — Automatic Activation And Notification
PE-13(3) - Automatic Fire Suppression
[Withdrawn: Incorporated into PE-13(2)].
PE-13(4) - Inspections
Ensure that the facility undergoes [Assignment: organization-defined frequency] fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within [Assignment: organization-defined time period].
ENVIRONMENTAL CONTROLS
RMF Control
PE-14
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions.
Instructions
PE-14a.
Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and
PE-14b.
Monitor environmental control levels [Assignment: organization-defined frequency].
Assessment Procedures
PE-14.1 - CCI-000971
The organization maintains temperature and humidity levels within the facility where the information system resides at organization-defined acceptable levels.
PE-14.2 - CCI-000972
The organization defines acceptable temperature and humidity levels to be maintained within the facility where the information system resides.
PE-14.3 - CCI-000973
The organization monitors temperature and humidity levels in accordance with organization-defined frequency.
PE-14.4 - CCI-000974
The organization defines a frequency for monitoring temperature and humidity levels.
Related Controls
  1. AT-3 - Role-Based Training
  2. CP-2 - Contingency Plan
References
Enhancements
PE-14(1) - Automatic Controls
Employ the following automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system: [Assignment: organization-defined automatic environmental controls].
PE-14(2) - Monitoring With Alarms And Notifications
Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to [Assignment: organization-defined personnel or roles].
WATER DAMAGE PROTECTION
RMF Control
PE-15
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations.
Instructions
Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
Assessment Procedures
PE-15.1 - CCI-000977
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible.
PE-15.2 - CCI-000978
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are working properly.
PE-15.3 - CCI-000979
Key personnel have knowledge of the master water shutoff or isolation valves.
Related Controls
  1. AT-3 - Role-Based Training
  2. PE-10 - Emergency Shutoff
References
Enhancements
PE-15(1) - Automation Support
Detect the presence of water near the system and alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms].
DELIVERY AND REMOVAL
RMF Control
PE-16
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.
Instructions
PE-16a.
Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility; and
PE-16b.
Maintain records of the system components.
Assessment Procedures
PE-16.1 - CCI-000981
The organization authorizes organization-defined types of information system components entering and exiting the facility.
PE-16.2 - CCI-000982
The organization monitors organization-defined types of information system components entering and exiting the facility.
PE-16.3 - CCI-000983
The organization controls organization-defined types of information system components entering and exiting the facility.
PE-16.4 - CCI-000984
The organization maintains records of information system components entering and exiting the facility.
PE-16.5 - CCI-002974
The organization defines types of information system components to authorize, monitor, and control entering and exiting the facility and to maintain records.
Related Controls
  1. CM-3 - Configuration Change Control
  2. CM-8 - System Component Inventory
  3. MA-2 - Controlled Maintenance
  4. MA-3 - Maintenance Tools
  5. MP-5 - Media Transport
  6. PE-20 - Asset Monitoring And Tracking
  7. SR-2 - Supply Chain Risk Management Plan
  8. SR-3 - Supply Chain Controls And Processes
  9. SR-4 - Provenance
  10. SR-6 - Supplier Assessments And Reviews
References
Enhancements
ALTERNATE WORK SITE
RMF Control
PE-17
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
MODERATE, HIGH
Description
Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.
Instructions
PE-17a.
Determine and document the [Assignment: organization-defined alternate work sites] allowed for use by employees;
PE-17b.
Employ the following controls at alternate work sites: [Assignment: organization-defined controls];
PE-17c.
Assess the effectiveness of controls at alternate work sites; and
PE-17d.
Provide a means for employees to communicate with information security and privacy personnel in case of incidents.
Assessment Procedures
PE-17.1 - CCI-000985
The organization employs organization-defined security controls at alternate work sites.
PE-17.3 - CCI-000987
The organization assesses as feasible, the effectiveness of security controls at alternate work sites.
PE-17.4 - CCI-000988
The organization provides a means for employees to communicate with information security personnel in case of security incidents or problems.
PE-17.2 - CCI-002975
The organization defines security controls to employ at alternate work sites.
Related Controls
  1. AC-17 - Remote Access
  2. AC-18 - Wireless Access
  3. CP-7 - Alternate Processing Site
References
  1. Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2., "SP 800-46" https://doi.org/10.6028/NIST.SP.800-46r2
Enhancements
LOCATION OF SYSTEM COMPONENTS
RMF Control
PE-18
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
HIGH
Description
Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications using wireless packet sniffers or microphones, or unauthorized disclosure of information.
Instructions
Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access.
Assessment Procedures
PE-18.1 - CCI-000989
The organization positions information system components within the facility to minimize potential damage from organization-defined physical and environmental hazards.
PE-18.2 - CCI-000991
The organization positions information system components within the facility to minimize the opportunity for unauthorized access.
PE-18.3 - CCI-002976
The organization defines physical and environmental hazards that could cause potential damage to information system components within the facility.
Related Controls
  1. CP-2 - Contingency Plan
  2. PE-5 - Access Control For Output Devices
  3. PE-19 - Information Leakage
  4. PE-20 - Asset Monitoring And Tracking
  5. RA-3 - Risk Assessment
References
Enhancements
PE-18(1) - Facility Site
[Withdrawn: Moved to PE-23].
INFORMATION LEAKAGE
RMF Control
PE-19
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
NOT SELECTED
Description
Information leakage is the intentional or unintentional release of data or information to an untrusted environment from electromagnetic signals emanations. The security categories or classifications of systems (with respect to confidentiality), organizational security policies, and risk tolerance guide the selection of controls employed to protect systems against information leakage due to electromagnetic signals emanations.
Instructions
Protect the system from information leakage due to electromagnetic signals emanations.
Assessment Procedures
PE-19.1 - CCI-000993
The organization protects the information system from information leakage due to electromagnetic signals emanations.
Related Controls
  1. AC-18 - Wireless Access
  2. PE-18 - Location Of System Components
  3. PE-20 - Asset Monitoring And Tracking
References
  1. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
Enhancements
PE-19(1) - National Emissions Policies And Procedures
Protect system components, associated data communications, and networks in accordance with national Emissions Security policies and procedures based on the security category or classification of the information.
ASSET MONITORING AND TRACKING
RMF Control
PE-20
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
NOT SELECTED
Description
Asset location technologies can help ensure that critical assets—including vehicles, equipment, and system components—remain in authorized locations. Organizations consult with the Office of the General Counsel and senior agency official for privacy regarding the deployment and use of asset location technologies to address potential privacy concerns.
Instructions
Employ [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas].
Assessment Procedures
PE-20.1 - CCI-002979
The organization employs organization-defined asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.
PE-20.2 - CCI-002980
The organization defines asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.
PE-20.3 - CCI-002981
The organization defines the assets within the organization-defined controlled areas which are to be tracked and monitored for their location and movement.
PE-20.4 - CCI-002982
The organization defines controlled areas that the location and movement of organization-defined assets are tracked and monitored.
PE-20.5 - CCI-002983
The organization ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance.
Related Controls
  1. CM-8 - System Component Inventory
  2. PE-16 - Delivery And Removal
  3. PM-8 - Critical Infrastructure Plan
References
Enhancements
ELECTROMAGNETIC PULSE PROTECTION
RMF Control
PE-21
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
NOT SELECTED
Description
An electromagnetic pulse (EMP) is a short burst of electromagnetic energy that is spread over a range of frequencies. Such energy bursts may be natural or man-made. EMP interference may be disruptive or damaging to electronic equipment. Protective measures used to mitigate EMP risk include shielding, surge suppressors, ferro-resonant transformers, and earth grounding. EMP protection may be especially significant for systems and applications that are part of the U.S. critical infrastructure.
Instructions
Employ [Assignment: organization-defined protective measures] against electromagnetic pulse damage for [Assignment: organization-defined systems and system components].
Assessment Procedures
Related Controls
  1. PE-18 - Location Of System Components
  2. PE-19 - Information Leakage
References
Enhancements
COMPONENT MARKING
RMF Control
PE-22
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
NOT SELECTED
Description
Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smart phones. Output devices include printers, monitors/video displays, facsimile machines, scanners, copiers, and audio devices. Permissions controlling output to the output devices are addressed in AC-3 or AC-4. Components are marked to indicate the impact level or classification level of the system to which the devices are connected, or the impact level or classification level of the information permitted to be output. Security marking refers to the use of human-readable security attributes. Security labeling refers to the use of security attributes for internal system data structures. Security marking is generally not required for hardware components that process, store, or transmit information determined by organizations to be in the public domain or to be publicly releasable. However, organizations may require markings for hardware components that process, store, or transmit public information in order to indicate that such information is publicly releasable. Marking of system hardware components reflects applicable laws, executive orders, directives, policies, regulations, and standards.
Instructions
Mark [Assignment: organization-defined system hardware components] indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.
Assessment Procedures
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-4 - Information Flow Enforcement
  3. AC-16 - Security And Privacy Attributes
  4. MP-3 - Media Marking
References
  1. Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023., "IR 8023" https://doi.org/10.6028/NIST.IR.8023
Enhancements
FACILITY LOCATION
RMF Control
PE-23
Subject Area
PHYSICAL AND ENVIRONMENTAL PROTECTION
Baseline Areas
NOT SELECTED
Description
Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. The location of system components within the facility is addressed in PE-18.
Instructions
PE-23a.
Plan the location or site of the facility where the system resides considering physical and environmental hazards; and
PE-23b.
For existing facilities, consider the physical and environmental hazards in the organizational risk management strategy.
Assessment Procedures
Related Controls
  1. CP-2 - Contingency Plan
  2. PE-18 - Location Of System Components
  3. PE-19 - Information Leakage
  4. PM-8 - Critical Infrastructure Plan
  5. PM-9 - Risk Management Strategy
  6. RA-3 - Risk Assessment
References
Enhancements
POLICY AND PROCEDURES
RMF Control
PL-1
Subject Area
PLANNING
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
PL-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
PL-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the planning policy and procedures; and
PL-1c.
Review and update the current planning:
Assessment Procedures
PL-1.1 - CCI-003047
The organization defines the personnel or roles to whom a security planning policy is disseminated.
PL-1.2 - CCI-003048
The organization defines the personnel or roles to whom the security planning procedures are disseminated.
PL-1.3 - CCI-000563
The organization develops and documents a security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
PL-1.4 - CCI-000564
The organization disseminates a security planning policy to organization-defined personnel or roles.
PL-1.5 - CCI-000566
The organization develops and documents procedures to facilitate the implementation of the security planning policy and associated security planning controls.
PL-1.6 - CCI-001636
The organization defines the frequency to review and update the current security planning policy.
PL-1.7 - CCI-001637
The organization reviews and updates the current security planning policy in accordance with organization-defined frequency.
PL-1.10 - CCI-001638
The organization defines the frequency to review and update the current security planning procedures.
PL-1.9 - CCI-000568
The organization reviews and updates the current security planning procedures in accordance with organization-defined frequency.
PL-1.8 - CCI-000567
The organization disseminates security planning procedures to organization-defined personnel or roles.
Related Controls
  1. PM-9 - Risk Management Strategy
  2. PS-8 - Personnel Sanctions
  3. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  3. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  4. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
  5. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  6. Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1., "SP 800-18" https://doi.org/10.6028/NIST.SP.800-18r1
Enhancements
SYSTEM SECURITY AND PRIVACY PLANS
RMF Control
PL-2
Subject Area
PLANNING
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls. Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans. Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate.
Instructions
PL-2a.
Develop security and privacy plans for the system that:
PL-2b.
Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles];
PL-2c.
Review the plans [Assignment: organization-defined frequency];
PL-2d.
Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and
PL-2e.
Protect the plans from unauthorized disclosure and modification.
Assessment Procedures
PL-2.1 - CCI-003049
The organization develops a security plan for the information system.
PL-2.2 - CCI-003050
The organization's security plan for the information system is consistent with the organization's enterprise architecture.
PL-2.3 - CCI-003051
The organization's security plan for the information system explicitly defines the authorization boundary for the system.
PL-2.4 - CCI-003052
The organization's security plan for the information system describes the operational context of the information system in terms of missions and business processes.
PL-2.5 - CCI-003053
The organization's security plan for the information system provides the security categorization of the information system including supporting rationale.
PL-2.6 - CCI-003054
The organization's security plan for the information system describes the operational environment for the information system and relationships with or connections to other information systems.
PL-2.7 - CCI-003055
The organization's security plan for the information system provides an overview of the security requirements for the system
PL-2.8 - CCI-003056
The organization's security plan for the information system identifies any relevant overlays, if applicable.
PL-2.9 - CCI-003057
The organization's security plan for the information system describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions.
PL-2.10 - CCI-000571
The organization's security plan for the information system is reviewed and approved by the authorizing official or designated representative prior to plan implementation.
PL-2.11 - CCI-003059
The organization distributes copies of the security plan to organization-defined personnel or roles.
PL-2.12 - CCI-003060
The organization defines the personnel or roles to whom copies of the security plan is distributed.
PL-2.13 - CCI-003061
The organization communicates subsequent changes to the security plan to organization-defined personnel or roles.
PL-2.14 - CCI-003062
The organization defines the personnel or roles to whom changes to the security plan are communicated.
PL-2.15 - CCI-000572
The organization defines the frequency for reviewing the security plan for the information system.
PL-2.16 - CCI-000573
The organization reviews the security plan for the information system in accordance with organization-defined frequency.
PL-2.17 - CCI-000574
The organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments.
PL-2.18 - CCI-003063
The organization protects the security plan from unauthorized disclosure.
PL-2.19 - CCI-003064
The organization protects the security plan from unauthorized modification.
Related Controls
  1. AC-2 - Account Management
  2. AC-6 - Least Privilege
  3. AC-14 - Permitted Actions Without Identification Or Authentication
  4. AC-17 - Remote Access
  5. AC-20 - Use Of External Systems
  6. CA-2 - Control Assessments
  7. CA-3 - Information Exchange
  8. CA-7 - Continuous Monitoring
  9. CM-9 - Configuration Management Plan
  10. CM-13 - Data Action Mapping
  11. CP-2 - Contingency Plan
  12. CP-4 - Contingency Plan Testing
  13. IR-4 - Incident Handling
  14. IR-8 - Incident Response Plan
  15. MA-4 - Nonlocal Maintenance
  16. MA-5 - Maintenance Personnel
  17. MP-4 - Media Storage
  18. MP-5 - Media Transport
  19. PL-7 - Concept Of Operations
  20. PL-8 - Security And Privacy Architectures
  21. PL-10 - Baseline Selection
  22. PL-11 - Baseline Tailoring
  23. PM-1 - Information Security Program Plan
  24. PM-7 - Enterprise Architecture
  25. PM-8 - Critical Infrastructure Plan
  26. PM-9 - Risk Management Strategy
  27. PM-10 - Authorization Process
  28. PM-11 - Mission And Business Process Definition
  29. RA-3 - Risk Assessment
  30. RA-8 - Privacy Impact Assessments
  31. RA-9 - Criticality Analysis
  32. SA-5 - System Documentation
  33. SA-17 - Developer Security And Privacy Architecture And Design
  34. SA-22 - Unsupported System Components
  35. SI-12 - Information Management And Retention
  36. SR-2 - Supply Chain Risk Management Plan
  37. SR-4 - Provenance
References
  1. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
  4. Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2., "SP 800-160-2" https://doi.org/10.6028/NIST.SP.800-160v2
  5. Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1., "SP 800-18" https://doi.org/10.6028/NIST.SP.800-18r1
Enhancements
PL-2(1) - Concept Of Operations
[Withdrawn: Incorporated into PL-7].
PL-2(2) - Functional Architecture
[Withdrawn: Incorporated into PL-8].
PL-2(3) - Plan And Coordinate With Other Organizational Entities
[Withdrawn: Incorporated into PL-2].
SYSTEM SECURITY PLAN UPDATE
RMF Control
PL-3
Subject Area
PLANNING
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into PL-2].
Assessment Procedures
Related Controls
References
Enhancements
RULES OF BEHAVIOR
RMF Control
PL-4
Subject Area
PLANNING
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.
Instructions
PL-4a.
Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;
PL-4b.
Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;
PL-4c.
Review and update the rules of behavior [Assignment: organization-defined frequency]; and
PL-4d.
Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [Selection (one or more): [Assignment: organization-defined frequency]; when the rules are revised or updated].
Assessment Procedures
PL-4.1 - CCI-000592
The organization establishes the rules describing the responsibilities and expected behavior, with regard to information and information system usage, for individuals requiring access to the information system.
PL-4.2 - CCI-001639
The organization makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage.
PL-4.3 - CCI-000593
The organization receives a signed acknowledgment from individuals requiring access the system, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system.
PL-4.5 - CCI-003069
The organization defines the frequency to review and update the rules of behavior.
PL-4.4 - CCI-003068
The organization reviews and updates the rules of behavior in accordance with organization-defined frequency.
PL-4.6 - CCI-003070
The organization requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.
Related Controls
  1. AC-2 - Account Management
  2. AC-6 - Least Privilege
  3. AC-8 - System Use Notification
  4. AC-9 - Previous Logon Notification
  5. AC-17 - Remote Access
  6. AC-18 - Wireless Access
  7. AC-19 - Access Control For Mobile Devices
  8. AC-20 - Use Of External Systems
  9. AT-2 - Literacy Training And Awareness
  10. AT-3 - Role-Based Training
  11. CM-11 - User-Installed Software
  12. IA-2 - Identification And Authentication (Organizational Users)
  13. IA-4 - Identifier Management
  14. IA-5 - Authenticator Management
  15. MP-7 - Media Use
  16. PS-6 - Access Agreements
  17. PS-8 - Personnel Sanctions
  18. SA-5 - System Documentation
  19. SI-12 - Information Management And Retention
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1., "SP 800-18" https://doi.org/10.6028/NIST.SP.800-18r1
Enhancements
PL-4(1) - Social Media And External Site/Application Usage Restrictions
Include in the rules of behavior, restrictions on:
PRIVACY IMPACT ASSESSMENT
RMF Control
PL-5
Subject Area
PLANNING
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into RA-8].
Assessment Procedures
Related Controls
References
Enhancements
SECURITY-RELATED ACTIVITY PLANNING
RMF Control
PL-6
Subject Area
PLANNING
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into PL-2].
Assessment Procedures
Related Controls
References
Enhancements
CONCEPT OF OPERATIONS
RMF Control
PL-7
Subject Area
PLANNING
Baseline Areas
NOT SELECTED
Description
The CONOPS may be included in the security or privacy plans for the system or in other system development life cycle documents. The CONOPS is a living document that requires updating throughout the system development life cycle. For example, during system design reviews, the concept of operations is checked to ensure that it remains consistent with the design for controls, the system architecture, and the operational procedures. Changes to the CONOPS are reflected in ongoing updates to the security and privacy plans, security and privacy architectures, and other organizational documents, such as procurement specifications, system development life cycle documents, and systems engineering documents.
Instructions
PL-7a.
Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and
PL-7b.
Review and update the CONOPS [Assignment: organization-defined frequency].
Assessment Procedures
PL-7.1 - CCI-003071
The organization develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security.
PL-7.2 - CCI-000577
The organization defines the frequency to review and update the security CONOPS.
PL-7.3 - CCI-000578
The organization reviews and updates the security CONOPS in accordance with organization-defined frequency.
Related Controls
  1. PL-2 - System Security And Privacy Plans
  2. SA-2 - Allocation Of Resources
  3. SI-12 - Information Management And Retention
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
SECURITY AND PRIVACY ARCHITECTURES
RMF Control
PL-8
Subject Area
PLANNING
Baseline Areas
MODERATE, HIGH, PRIVACY
Description
The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in PM-7, which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs. SP 800-160-1 provides guidance on the use of security architectures as part of the system development life cycle process. OMB M-19-03 requires the use of the systems security engineering concepts described in SP 800-160-1 for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews). In today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures. PL-8 is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17, which is complementary to PL-8, is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures.
Instructions
PL-8a.
Develop security and privacy architectures for the system that:
PL-8b.
Review and update the architectures [Assignment: organization-defined frequency] to reflect changes in the enterprise architecture; and
PL-8c.
Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.
Assessment Procedures
PL-8.1 - CCI-003072
The organization develops an information security architecture for the information system.
PL-8.2 - CCI-003073
The organization's information security architecture for the information system describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information.
PL-8.3 - CCI-003074
The organization's information security architecture for the information system describes how the information security architecture is integrated into and supports the enterprise architecture.
PL-8.4 - CCI-003075
The organization's information security architecture for the information system describes any information security assumptions about, and dependencies on, external services.
PL-8.5 - CCI-003076
The organization reviews and updates the information security architecture in accordance with organization-defined frequency to reflect updates in the enterprise architecture.
PL-8.6 - CCI-003077
The organization defines the frequency to review and update the information system architecture.
PL-8.7 - CCI-003078
The organization ensures that planned information security architecture changes are reflected in the security plan.
PL-8.8 - CCI-003079
The organization ensures that planned information security architecture changes are reflected in the security Concept of Operations (CONOPS).
PL-8.9 - CCI-003080
The organization ensures that planned information security architecture changes are reflected in organizational procurements/acquisitions.
Related Controls
  1. CM-2 - Baseline Configuration
  2. CM-6 - Configuration Settings
  3. PL-2 - System Security And Privacy Plans
  4. PL-7 - Concept Of Operations
  5. PL-9 - Central Management
  6. PM-5 - System Inventory
  7. PM-7 - Enterprise Architecture
  8. RA-9 - Criticality Analysis
  9. SA-3 - System Development Life Cycle
  10. SA-5 - System Documentation
  11. SA-8 - Security And Privacy Engineering Principles
  12. SA-17 - Developer Security And Privacy Architecture And Design
  13. SC-7 - Boundary Protection
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
  3. Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2., "SP 800-160-2" https://doi.org/10.6028/NIST.SP.800-160v2
Enhancements
PL-8(1) - Defense In Depth
Design the security and privacy architectures for the system using a defense-in-depth approach that:
PL-8(2) - Supplier Diversity
Require that [Assignment: organization-defined controls] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers.
CENTRAL MANAGEMENT
RMF Control
PL-9
Subject Area
PLANNING
Baseline Areas
NOT SELECTED, PRIVACY
Description
Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes. As the central management of controls is generally associated with the concept of common (inherited) controls, such management promotes and facilitates standardization of control implementations and management and the judicious use of organizational resources. Centrally managed controls and processes may also meet independence requirements for assessments in support of initial and ongoing authorizations to operate and as part of organizational continuous monitoring. Automated tools (e.g., security information and event management tools or enterprise security monitoring and management tools) can improve the accuracy, consistency, and availability of information associated with centrally managed controls and processes. Automation can also provide data aggregation and data correlation capabilities; alerting mechanisms; and dashboards to support risk-based decision-making within the organization. As part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities. It is not always possible to centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level. The controls and control enhancements that are candidates for full or partial central management include but are not limited to: AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-4(all), AC-17(1), AC-17(2), AC-17(3), AC-17(9), AC-18(1), AC-18(3), AC-18(4), AC-18(5), AC-19(4), AC-22, AC-23, AT-2(1), AT-2(2), AT-3(1), AT-3(2), AT-3(3), AT-4, AU-3, AU-6(1), AU-6(3), AU-6(5), AU-6(6), AU-6(9), AU-7(1), AU-7(2), AU-11, AU-13, AU-16, CA-2(1), CA-2(2), CA-2(3), CA-3(1), CA-3(2), CA-3(3), CA-7(1), CA-9, CM-2(2), CM-3(1), CM-3(4), CM-4, CM-6, CM-6(1), CM-7(2), CM-7(4), CM-7(5), CM-8(all), CM-9(1), CM-10, CM-11, CP-7(all), CP-8(all), SC-43, SI-2, SI-3, SI-4(all), SI-7, SI-8.
Instructions
Centrally manage [Assignment: organization-defined controls and related processes].
Assessment Procedures
PL-9.1 - CCI-003117
The organization centrally manages organization-defined security controls and related processes.
PL-9.2 - CCI-003118
The organization defines security controls and related processes to be centrally managed.
Related Controls
  1. PL-8 - Security And Privacy Architectures
  2. PM-9 - Risk Management Strategy
References
  1. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
BASELINE SELECTION
RMF Control
PL-10
Subject Area
PLANNING
Baseline Areas
LOW, MODERATE, HIGH
Description
Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal control baselines are provided in SP 800-53B. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in SP 800-53B are based on the requirements from FISMA and PRIVACT. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. CNSSI 1253 provides guidance on control baselines for national security systems.
Instructions
Select a control baseline for the system.
Assessment Procedures
Related Controls
  1. PL-2 - System Security And Privacy Plans
  2. PL-11 - Baseline Tailoring
  3. RA-2 - Security Categorization
  4. RA-3 - Risk Assessment
  5. SA-8 - Security And Privacy Engineering Principles
References
  1. Committee on National Security Systems Instruction No. 1253, , March 2014., "CNSSI 1253" https://www.cnss.gov/CNSS/issuances/Instructions.c
  2. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  3. Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B., "SP 800-53B" https://doi.org/10.6028/NIST.SP.800-53B
  4. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  5. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  6. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  7. National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200., "FIPS 200" https://doi.org/10.6028/NIST.FIPS.200
  8. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
  9. Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1., "SP 800-60-1" https://doi.org/10.6028/NIST.SP.800-60v1r1
  10. Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1., "SP 800-60-2" https://doi.org/10.6028/NIST.SP.800-60v2r1
Enhancements
BASELINE TAILORING
RMF Control
PL-11
Subject Area
PLANNING
Baseline Areas
LOW, MODERATE, HIGH
Description
The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in SP 800-53B. Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in SP 800-53B can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in SP 800-53B in accordance with the security and privacy requirements from FISMA, PRIVACT, and OMB A-130. Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in SP 800-53B to specialize or customize the controls that represent the specific needs and concerns of those entities.
Instructions
Tailor the selected control baseline by applying specified tailoring actions.
Assessment Procedures
Related Controls
  1. PL-10 - Baseline Selection
  2. RA-2 - Security Categorization
  3. RA-3 - Risk Assessment
  4. RA-9 - Criticality Analysis
  5. SA-8 - Security And Privacy Engineering Principles
References
  1. Committee on National Security Systems Instruction No. 1253, , March 2014., "CNSSI 1253" https://www.cnss.gov/CNSS/issuances/Instructions.c
  2. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  3. Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B., "SP 800-53B" https://doi.org/10.6028/NIST.SP.800-53B
  4. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  5. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  6. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  7. National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200., "FIPS 200" https://doi.org/10.6028/NIST.FIPS.200
  8. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
  9. Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1., "SP 800-60-1" https://doi.org/10.6028/NIST.SP.800-60v1r1
  10. Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1., "SP 800-60-2" https://doi.org/10.6028/NIST.SP.800-60v2r1
Enhancements
INFORMATION SECURITY PROGRAM PLAN
RMF Control
PM-1
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED
Description
An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. An information security program plan can be represented in a single document or compilations of documents. Privacy program plans and supply chain risk management plans are addressed separately in PM-18 and SR-2, respectively. An information security program plan documents implementation details about program management and common controls. The plan provides sufficient information about the controls (including specification of parameters for assignment and selection operations, explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended. Updates to information security program plans include organizational changes and problems identified during plan implementation or control assessments. Program management controls may be implemented at the organization level or the mission or business process level, and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular system. Together, the individual system security plans and the organization-wide information security program plan provide complete coverage for the security controls employed within the organization. Common controls available for inheritance by organizational systems are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls. Events that may precipitate an update to the information security program plan include, but are not limited to, organization-wide assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines.
Instructions
PM-1a.
Develop and disseminate an organization-wide information security program plan that:
PM-1b.
Review and update the organization-wide information security program plan [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
PM-1c.
Protect the information security program plan from unauthorized disclosure and modification.
Assessment Procedures
PM-1.1 - CCI-000073
The organization develops an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements.
PM-1.2 - CCI-002985
The organization disseminates an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements.
PM-1.4 - CCI-001680
The organization develops an organization-wide information security program plan that includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
PM-1.3 - CCI-002986
The organization disseminates an organization-wide information security program plan that includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
PM-1.5 - CCI-002984
The organization develops an organization-wide information security program plan that reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical).
PM-1.6 - CCI-002987
The organization disseminates an organization-wide information security program plan that reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical).
PM-1.8 - CCI-000074
The organization develops an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.
PM-1.7 - CCI-002988
The organization disseminates an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.
PM-1.10 - CCI-000076
The organization defines the frequency to review the organization-wide information security program plan.
PM-1.9 - CCI-000075
The organization reviews the organization-wide information security program plan on an organization-defined frequency.
PM-1.11 - CCI-000077
The organization updates the plan to address organizational changes and problems identified during plan implementation or security control assessments.
PM-1.12 - CCI-002989
The organization protects the information security program plan from unauthorized disclosure.
PM-1.13 - CCI-002990
The organization protects the information security program plan from unauthorized modification.
Related Controls
  1. PL-2 - System Security And Privacy Plans
  2. PM-18 - Privacy Program Plan
  3. PM-30 - Supply Chain Risk Management Strategy
  4. RA-9 - Criticality Analysis
  5. SI-12 - Information Management And Retention
  6. SR-2 - Supply Chain Risk Management Plan
References
  1. Federal Information Security Modernization Act (P.L. 113-283), December 2014., "FISMA" https://www.congress.gov/113/plaws/publ283/PLAW-11
  2. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  3. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  4. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
INFORMATION SECURITY PROGRAM LEADERSHIP ROLE
RMF Control
PM-2
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED
Description
The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer.
Instructions
Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
Assessment Procedures
PM-2.1 - CCI-000078
The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
Related Controls
References
  1. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  2. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  3. Office of Management and Budget Memorandum M-17-25, , May 2017., "OMB M-17-25" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  4. Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1., "SP 800-181" https://doi.org/10.6028/NIST.SP.800-181r1
Enhancements
INFORMATION SECURITY AND PRIVACY RESOURCES
RMF Control
PM-3
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
Organizations consider establishing champions for information security and privacy and, as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process.
Instructions
PM-3a.
Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;
PM-3b.
Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and
PM-3c.
Make available for expenditure, the planned information security and privacy resources.
Assessment Procedures
PM-3.1 - CCI-000080
The organization ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement.
PM-3.2 - CCI-000081
The organization employs a business case/Exhibit 300/Exhibit 53 to record the resources required.
PM-3.3 - CCI-000141
The organization ensures that information security resources are available for expenditure as planned.
Related Controls
  1. PM-4 - Plan Of Action And Milestones Process
  2. SA-2 - Allocation Of Resources
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
PLAN OF ACTION AND MILESTONES PROCESS
RMF Control
PM-4
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
The plan of action and milestones is a key organizational document and is subject to reporting requirements established by the Office of Management and Budget. Organizations develop plans of action and milestones with an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple plans of action and milestones corresponding to the information system level, mission/business process level, and organizational/governance level. While plans of action and milestones are required for federal organizations, other types of organizations can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones at the system level is provided in CA-5.
Instructions
PM-4a.
Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems:
PM-4b.
Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
Assessment Procedures
PM-4.2 - CCI-002991
The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems are developed.
PM-4.1 - CCI-000142
The organization implements a process for ensuring that plans of action and milestones for the security program and the associated organizational information systems are maintained.
PM-4.3 - CCI-000170
The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation.
PM-4.4 - CCI-002992
The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems are reported in accordance with OMB FISMA reporting requirements.
PM-4.5 - CCI-002993
The organization reviews plans of action and milestones for the security program and associated organization information systems for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
Related Controls
  1. CA-5 - Plan Of Action And Milestones
  2. CA-7 - Continuous Monitoring
  3. PM-3 - Information Security And Privacy Resources
  4. RA-7 - Risk Response
  5. SI-12 - Information Management And Retention
References
  1. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
Enhancements
SYSTEM INVENTORY
RMF Control
PM-5
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED
Description
OMB A-130 provides guidance on developing systems inventories and associated reporting requirements. System inventory refers to an organization-wide inventory of systems, not system components as described in CM-8.
Instructions
Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems.
Assessment Procedures
PM-5.1 - CCI-000207
The organization develops and maintains an inventory of its information systems.
Related Controls
References
  1. Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062., "IR 8062" https://doi.org/10.6028/NIST.IR.8062
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
PM-5(1) - Inventory Of Personally Identifiable Information
Establish, maintain, and update [Assignment: organization-defined frequency] an inventory of all systems, applications, and projects that process personally identifiable information.
MEASURES OF PERFORMANCE
RMF Control
PM-6
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program. To facilitate security and privacy risk management, organizations consider aligning measures of performance with the organizational risk tolerance as defined in the risk management strategy.
Instructions
Develop, monitor, and report on the results of information security and privacy measures of performance.
Assessment Procedures
PM-6.1 - CCI-000209
The organization develops the results of information security measures of performance.
PM-6.2 - CCI-000210
The organization monitors the results of information security measures of performance.
PM-6.3 - CCI-000211
The organization reports on the results of information security measures of performance.
Related Controls
  1. CA-7 - Continuous Monitoring
  2. PM-9 - Risk Management Strategy
References
  1. Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1., "SP 800-55" https://doi.org/10.6028/NIST.SP.800-55r1
  2. Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137., "SP 800-137" https://doi.org/10.6028/NIST.SP.800-137
  3. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  4. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  5. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
ENTERPRISE ARCHITECTURE
RMF Control
PM-7
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture and the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level that represents an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework SP 800-37 and supporting security standards and guidelines.
Instructions
Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.
Assessment Procedures
PM-7.1 - CCI-000212
The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.
Related Controls
  1. AU-6 - Audit Record Review, Analysis, And Reporting
  2. PL-2 - System Security And Privacy Plans
  3. PL-8 - Security And Privacy Architectures
  4. PM-11 - Mission And Business Process Definition
  5. RA-2 - Security Categorization
  6. SA-3 - System Development Life Cycle
  7. SA-8 - Security And Privacy Engineering Principles
  8. SA-17 - Developer Security And Privacy Architecture And Design
References
  1. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  2. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  3. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  4. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
  5. Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2., "SP 800-160-2" https://doi.org/10.6028/NIST.SP.800-160v2
Enhancements
PM-7(1) - Offloading
Offload [Assignment: organization-defined non-essential functions or services] to other systems, system components, or an external provider.
CRITICAL INFRASTRUCTURE PLAN
RMF Control
PM-8
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.
Instructions
Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.
Assessment Procedures
PM-8.1 - CCI-000216
The organization develops and documents a critical infrastructure and key resource protection plan that addresses information security issues.
PM-8.2 - CCI-001640
The organization updates the critical infrastructure and key resources protection plan that addresses information security issues.
Related Controls
  1. CP-2 - Contingency Plan
  2. CP-4 - Contingency Plan Testing
  3. PE-18 - Location Of System Components
  4. PL-2 - System Security And Privacy Plans
  5. PM-9 - Risk Management Strategy
  6. PM-11 - Mission And Business Process Definition
  7. PM-18 - Privacy Program Plan
  8. RA-3 - Risk Assessment
  9. SI-12 - Information Management And Retention
References
  1. Department of Homeland Security, , 2009., "DHS NIPP" https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf
  2. Executive Order 13636, , February 2013., "EO 13636" https://obamawhitehouse.archives.gov/the-press-off
  3. Homeland Security Presidential Directive 7, , December 2003., "HSPD 7" https://www.dhs.gov/homeland-security-presidential
  4. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
RISK MANAGEMENT STRATEGY
RMF Control
PM-9
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization, security and privacy risk mitigation strategies, acceptable risk assessment methodologies, a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure that the strategy is broad-based and comprehensive. The supply chain risk management strategy described in PM-30 can also provide useful inputs to the organization-wide risk management strategy.
Instructions
PM-9a.
Develops a comprehensive strategy to manage:
PM-9b.
Implement the risk management strategy consistently across the organization; and
PM-9c.
Review and update the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.
Assessment Procedures
PM-9.1 - CCI-000227
The organization develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems.
PM-9.2 - CCI-000228
The organization implements a comprehensive strategy to manage risk to organization operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems consistently across the organization.
PM-9.3 - CCI-002994
The organization reviews and updates the risk management strategy in accordance with organization-defined frequency or as required, to address organizational changes.
PM-9.4 - CCI-002995
The organization defines the frequency to review and update the risk management strategy to address organizational changes.
Related Controls
  1. AC-1 - Policy And Procedures
  2. AT-1 - Policy And Procedures
  3. AU-1 - Policy And Procedures
  4. CA-1 - Policy And Procedures
  5. CA-2 - Control Assessments
  6. CA-5 - Plan Of Action And Milestones
  7. CA-6 - Authorization
  8. CA-7 - Continuous Monitoring
  9. CM-1 - Policy And Procedures
  10. CP-1 - Policy And Procedures
  11. IA-1 - Policy And Procedures
  12. IR-1 - Policy And Procedures
  13. MA-1 - Policy And Procedures
  14. MP-1 - Policy And Procedures
  15. PE-1 - Policy And Procedures
  16. PL-1 - Policy And Procedures
  17. PL-2 - System Security And Privacy Plans
  18. PM-2 - Information Security Program Leadership Role
  19. PM-8 - Critical Infrastructure Plan
  20. PM-18 - Privacy Program Plan
  21. PM-28 - Risk Framing
  22. PM-30 - Supply Chain Risk Management Strategy
  23. PS-1 - Policy And Procedures
  24. PT-1 - Policy And Procedures
  25. PT-2 - Authority To Process Personally Identifiable Information
  26. PT-3 - Personally Identifiable Information Processing Purposes
  27. RA-1 - Policy And Procedures
  28. RA-3 - Risk Assessment
  29. RA-9 - Criticality Analysis
  30. SA-1 - Policy And Procedures
  31. SA-4 - Acquisition Process
  32. SC-1 - Policy And Procedures
  33. SC-38 - Operations Security
  34. SI-1 - Policy And Procedures
  35. SI-12 - Information Management And Retention
  36. SR-1 - Policy And Procedures
  37. SR-2 - Supply Chain Risk Management Plan
References
  1. Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161., "SP 800-161" https://doi.org/10.6028/NIST.SP.800-161
  2. Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023., "IR 8023" https://doi.org/10.6028/NIST.IR.8023
  3. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  4. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  5. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  6. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
AUTHORIZATION PROCESS
RMF Control
PM-10
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The authorization processes for the organization are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation.
Instructions
PM-10a.
Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;
PM-10b.
Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
PM-10c.
Integrate the authorization processes into an organization-wide risk management program.
Assessment Procedures
PM-10.1 - CCI-000229
The organization documents the security state of organizational information systems and the environments in which those systems operate through security authorization processes.
PM-10.2 - CCI-000230
The organization tracks the security state of organizational information systems and the environments in which those systems operate through security authorization processes.
PM-10.3 - CCI-000231
The organization reports the security state of organizational information systems and the environments in which those systems operate through security authorization processes.
PM-10.4 - CCI-000233
The organization designates individuals to fulfill specific roles and responsibilities within the organizational risk management process.
PM-10.5 - CCI-000234
The organization fully integrates the security authorization processes into an organization-wide risk management program.
Related Controls
  1. CA-6 - Authorization
  2. CA-7 - Continuous Monitoring
  3. PL-2 - System Security And Privacy Plans
References
  1. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  2. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  3. Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1., "SP 800-181" https://doi.org/10.6028/NIST.SP.800-181r1
Enhancements
MISSION AND BUSINESS PROCESS DEFINITION
RMF Control
PM-11
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by organizational stakeholders, the mission and business processes designed to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent to defining protection and personally identifiable information processing needs is an understanding of the adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of the processing of personally identifiable information at any stage of the information life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policies and procedures.
Instructions
PM-11a.
Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
PM-11b.
Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and
PM-11c.
Review and revise the mission and business processes [Assignment: organization-defined frequency].
Assessment Procedures
PM-11.1 - CCI-000235
The organization defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.
PM-11.2 - CCI-000236
The organization determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs are obtained.
Related Controls
  1. CP-2 - Contingency Plan
  2. PL-2 - System Security And Privacy Plans
  3. PM-7 - Enterprise Architecture
  4. PM-8 - Critical Infrastructure Plan
  5. RA-2 - Security Categorization
  6. RA-3 - Risk Assessment
  7. RA-9 - Criticality Analysis
  8. SA-2 - Allocation Of Resources
References
  1. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  2. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  3. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  4. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
  5. Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1., "SP 800-60-1" https://doi.org/10.6028/NIST.SP.800-60v1r1
  6. Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1., "SP 800-60-2" https://doi.org/10.6028/NIST.SP.800-60v2r1
Enhancements
INSIDER THREAT PROGRAM
RMF Control
PM-12
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED
Description
Organizations that handle classified information are required, under Executive Order 13587 EO 13587 and the National Insider Threat Policy ODNI NITP, to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and nontechnical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans, conduct host-based user monitoring of individual employee activities on government-owned classified computers, provide insider threat awareness training to employees, receive access to information from offices in the department or agency for insider threat analysis, and conduct self-assessments of department or agency insider threat posture. Insider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
Instructions
Implement an insider threat program that includes a cross-discipline insider threat incident handling team.
Assessment Procedures
PM-12.1 - CCI-002996
The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team.
Related Controls
  1. AC-6 - Least Privilege
  2. AT-2 - Literacy Training And Awareness
  3. AU-6 - Audit Record Review, Analysis, And Reporting
  4. AU-7 - Audit Record Reduction And Report Generation
  5. AU-10 - Non-Repudiation
  6. AU-12 - Audit Record Generation
  7. AU-13 - Monitoring For Information Disclosure
  8. CA-7 - Continuous Monitoring
  9. IA-4 - Identifier Management
  10. IR-4 - Incident Handling
  11. MP-7 - Media Use
  12. PE-2 - Physical Access Authorizations
  13. PM-14 - Testing, Training, And Monitoring
  14. PM-16 - Threat Awareness Program
  15. PS-3 - Personnel Screening
  16. PS-4 - Personnel Termination
  17. PS-5 - Personnel Transfer
  18. PS-7 - External Personnel Security
  19. PS-8 - Personnel Sanctions
  20. SC-7 - Boundary Protection
  21. SC-38 - Operations Security
  22. SI-4 - System Monitoring
References
  1. Executive Order 13587, , October 2011., "EO 13587" https://obamawhitehouse.archives.gov/the-press-off
  2. Office of the Director National Intelligence, , "ODNI NITP" https://www.dni.gov/files/NCSC/documents/nittf/Nat
  3. Presidential Memorandum for the Heads of Executive Departments and Agencies, , November 2012., "NITP12" https://obamawhitehouse.archives.gov/the-press-off
Enhancements
SECURITY AND PRIVACY WORKFORCE
RMF Control
PM-13
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals.
Instructions
Establish a security and privacy workforce development and improvement program.
Assessment Procedures
PM-13.1 - CCI-002997
The organization establishes an information security workforce development and improvement program.
Related Controls
  1. AT-2 - Literacy Training And Awareness
  2. AT-3 - Role-Based Training
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1., "SP 800-181" https://doi.org/10.6028/NIST.SP.800-181r1
Enhancements
TESTING, TRAINING, AND MONITORING
RMF Control
PM-14
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
A process for organization-wide security and privacy testing, training, and monitoring helps ensure that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments.
Instructions
PM-14a.
Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:
PM-14b.
Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
Assessment Procedures
PM-14.1 - CCI-002998
The organization implements a process for ensuring that organizational plans for conducting security testing activities associated with organizational information systems are developed.
PM-14.2 - CCI-002999
The organization implements a process for ensuring that organizational plans for conducting security testing activities associated with organizational information systems are maintained.
PM-14.3 - CCI-003000
The organization implements a process for ensuring that organizational plans for conducting security training activities associated with organizational information systems are developed.
PM-14.4 - CCI-003001
The organization implements a process for ensuring that organizational plans for conducting security training activities associated with organizational information systems are maintained.
PM-14.5 - CCI-003002
The organization implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems are developed.
PM-14.6 - CCI-003003
The organization implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems are maintained.
PM-14.7 - CCI-003004
The organization implements a process for ensuring that organizational plans for conducting security testing associated with organizational information systems continue to be executed in a timely manner.
PM-14.8 - CCI-003005
The organization implements a process for ensuring that organizational plans for conducting security training associated with organizational information systems continue to be executed in a timely manner.
PM-14.9 - CCI-003006
The organization implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems continue to be executed in a timely manner.
PM-14.10 - CCI-003007
The organization reviews testing plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
PM-14.11 - CCI-003008
The organization reviews training plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
PM-14.12 - CCI-003009
The organization reviews monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
Related Controls
  1. AT-2 - Literacy Training And Awareness
  2. AT-3 - Role-Based Training
  3. CA-7 - Continuous Monitoring
  4. CP-4 - Contingency Plan Testing
  5. IR-3 - Incident Response Testing
  6. PM-12 - Insider Threat Program
  7. SI-4 - System Monitoring
References
  1. Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137., "SP 800-137" https://doi.org/10.6028/NIST.SP.800-137
  2. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  3. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  4. Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014., "SP 800-53A" https://doi.org/10.6028/NIST.SP.800-53Ar4
  5. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  6. Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115., "SP 800-115" https://doi.org/10.6028/NIST.SP.800-115
Enhancements
SECURITY AND PRIVACY GROUPS AND ASSOCIATIONS
RMF Control
PM-15
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED
Description
Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on mission and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.
Instructions
Establish and institutionalize contact with selected groups and associations within the security and privacy communities:
PM-15a.
To facilitate ongoing security and privacy education and training for organizational personnel;
PM-15b.
To maintain currency with recommended security and privacy practices, techniques, and technologies; and
PM-15c.
To share current security and privacy information, including threats, vulnerabilities, and incidents.
Assessment Procedures
PM-15.1 - CCI-003010
The organization establishes and institutionalizes contact with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel.
PM-15.2 - CCI-003011
The organization establishes and institutionalizes contact with selected groups and associations within the security community to maintain currency with recommended security practices, techniques, and technologies.
PM-15.3 - CCI-003012
The organization establishes and institutionalizes contact with selected groups and associations within the security community to share current security-related information including threats, vulnerabilities, and incidents.
Related Controls
  1. SA-11 - Developer Testing And Evaluation
  2. SI-5 - Security Alerts, Advisories, And Directives
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
THREAT AWARENESS PROGRAM
RMF Control
PM-16
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED
Description
Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information, including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may require special agreements and protection, or it may be freely shared.
Instructions
Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.
Assessment Procedures
PM-16.1 - CCI-003013
The organization implements a threat awareness program that includes a cross-organization information-sharing capability.
Related Controls
  1. IR-4 - Incident Handling
  2. PM-12 - Insider Threat Program
References
Enhancements
PM-16(1) - Automated Means For Sharing Threat Intelligence
Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information.
PROTECTING CONTROLLED UNCLASSIFIED INFORMATION ON EXTERNAL SYSTEMS
RMF Control
PM-17
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in 32 CFR 2002 and, specifically for systems external to the federal organization, 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes.
Instructions
PM-17a.
Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and
PM-17b.
Review and update the policy and procedures [Assignment: organization-defined frequency].
Assessment Procedures
Related Controls
  1. CA-6 - Authorization
  2. PM-10 - Authorization Process
References
  1. Code of Federal Regulations, Title 32, (32 C.F.R. 2002)., "32 CFR 2002" https://www.federalregister.gov/documents/2016/09/
  2. National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry., "NARA CUI" https://www.archives.gov/cui
  3. Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2., "SP 800-171" https://doi.org/10.6028/NIST.SP.800-171r2
  4. Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172., "SP 800-172" https://doi.org/10.6028/NIST.SP.800-172-draft
Enhancements
PRIVACY PROGRAM PLAN
RMF Control
PM-18
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program, the resources dedicated to the privacy program, the role of the senior agency official for privacy and other privacy officials and staff, the strategic goals and objectives of the privacy program, and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents. The senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection operations explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended. Program management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. Together, the privacy plans for individual systems and the organization-wide privacy program plan provide complete coverage for the privacy controls employed within the organization. Common controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls.
Instructions
PM-18a.
Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:
PM-18b.
Update the plan [Assignment: organization-defined frequency] and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments.
Assessment Procedures
Related Controls
  1. PM-8 - Critical Infrastructure Plan
  2. PM-9 - Risk Management Strategy
  3. PM-19 - Privacy Program Leadership Role
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
Enhancements
PRIVACY PROGRAM LEADERSHIP ROLE
RMF Control
PM-19
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
The privacy officer is an organizational official. For federal agencies—as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines—this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has roles on the data management board (see PM-23) and the data integrity board (see PM-24).
Instructions
Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.
Assessment Procedures
Related Controls
  1. PM-18 - Privacy Program Plan
  2. PM-20 - Dissemination Of Privacy Program Information
  3. PM-23 - Data Governance Body
  4. PM-24 - Data Integrity Board
  5. PM-27 - Privacy Reporting
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
DISSEMINATION OF PRIVACY PROGRAM INFORMATION
RMF Control
PM-20
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
For federal agencies, the webpage is located at www.[agency].gov/privacy. Federal agencies include public privacy impact assessments, system of records notices, computer matching notices and agreements, PRIVACT exemption and implementation rules, privacy reports, privacy policies, instructions for individuals making an access or amendment request, email addresses for questions/complaints, blogs, and periodic publications.
Instructions
Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:
PM-20a.
Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;
PM-20b.
Ensures that organizational privacy practices and reports are publicly available; and
PM-20c.
Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.
Assessment Procedures
Related Controls
  1. AC-3 - Access Enforcement
  2. PM-19 - Privacy Program Leadership Role
  3. PT-5 - Privacy Notice
  4. PT-6 - System Of Records Notice
  5. PT-7 - Specific Categories Of Personally Identifiable Information
  6. RA-8 - Privacy Impact Assessments
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. Office of Management and Budget Memorandum M-17-06, , November 2016., "OMB M-17-06" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
Enhancements
PM-20(1) - Privacy Policies On Websites, Applications, And Digital Services
Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that:
ACCOUNTING OF DISCLOSURES
RMF Control
PM-21
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed, to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information, and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the PRIVACT; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision. Organizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services that provide notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing the disclosure or dissemination of information and dissemination restrictions.
Instructions
PM-21a.
Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:
PM-21b.
Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and
PM-21c.
Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request.
Assessment Procedures
Related Controls
  1. AC-3 - Access Enforcement
  2. AU-2 - Event Logging
  3. PT-2 - Authority To Process Personally Identifiable Information
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
Enhancements
PERSONALLY IDENTIFIABLE INFORMATION QUALITY MANAGEMENT
RMF Control
PM-22
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
Personally identifiable information quality management includes steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information. The senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations. Organizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to the complexity of data flows and storage, other entities may need to be informed of the correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem.
Instructions
Develop and document organization-wide policies and procedures for:
PM-22a.
Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;
PM-22b.
Correcting or deleting inaccurate or outdated personally identifiable information;
PM-22c.
Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and
PM-22d.
Appeals of adverse decisions on correction or deletion requests.
Assessment Procedures
Related Controls
  1. PM-23 - Data Governance Body
  2. SI-18 - Personally Identifiable Information Quality Operations
References
  1. Garfinkel S (2016) De-Identifying Government Datasets. (National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188., "SP 800-188" https://csrc.nist.gov/publications/detail/sp/800-1
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Office of Management and Budget Memorandum M-19-15, , April 2019., "OMB M-19-15" https://www.whitehouse.gov/wp-content/uploads/2019
Enhancements
DATA GOVERNANCE BODY
RMF Control
PM-23
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED
Description
A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines that support data modeling, quality, integrity, and the de-identification needs of personally identifiable information across the information life cycle as well as reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the EVIDACT and policies set forth under OMB M-19-23.
Instructions
Establish a Data Governance Body consisting of [Assignment: organization-defined roles] with [Assignment: organization-defined responsibilities].
Assessment Procedures
Related Controls
  1. AT-2 - Literacy Training And Awareness
  2. AT-3 - Role-Based Training
  3. PM-19 - Privacy Program Leadership Role
  4. PM-22 - Personally Identifiable Information Quality Management
  5. PM-24 - Data Integrity Board
  6. PT-7 - Specific Categories Of Personally Identifiable Information
  7. SI-4 - System Monitoring
  8. SI-19 - De-Identification
References
  1. Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019., "EVIDACT" https://www.congress.gov/115/plaws/publ435/PLAW-11
  2. Garfinkel S (2016) De-Identifying Government Datasets. (National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188., "SP 800-188" https://csrc.nist.gov/publications/detail/sp/800-1
  3. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  4. Office of Management and Budget Memorandum M-19-23, , July 2019., "OMB M-19-23" https://www.whitehouse.gov/wp-content/uploads/2019
Enhancements
DATA INTEGRITY BOARD
RMF Control
PM-24
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
A Data Integrity Board is the board of senior officials designated by the head of a federal agency and is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated PRIVACT systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy.
Instructions
Establish a Data Integrity Board to:
PM-24a.
Review proposals to conduct or participate in a matching program; and
PM-24b.
Conduct an annual review of all matching programs in which the agency has participated.
Assessment Procedures
Related Controls
  1. AC-4 - Information Flow Enforcement
  2. PM-19 - Privacy Program Leadership Role
  3. PM-23 - Data Governance Body
  4. PT-2 - Authority To Process Personally Identifiable Information
  5. PT-8 - Computer Matching Requirements
References
  1. Office of Management and Budget Memorandum Circular A-108, , December 2016., "OMB A-108" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
Enhancements
MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION USED IN TESTING, TRAINING, AND RESEARCH
RMF Control
PM-25
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
The use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and/or legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research.
Instructions
PM-25a.
Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;
PM-25b.
Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;
PM-25c.
Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and
PM-25d.
Review and update policies and procedures [Assignment: organization-defined frequency].
Assessment Procedures
Related Controls
  1. PM-23 - Data Governance Body
  2. PT-3 - Personally Identifiable Information Processing Purposes
  3. SA-3 - System Development Life Cycle
  4. SA-8 - Security And Privacy Engineering Principles
  5. SI-12 - Information Management And Retention
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
COMPLAINT MANAGEMENT
RMF Control
PM-26
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
Complaints, concerns, and questions from individuals can serve as valuable sources of input to organizations and ultimately improve operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information which is handled in accordance with relevant policies and processes.
Instructions
Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes:
PM-26a.
Mechanisms that are easy to use and readily accessible by the public;
PM-26b.
All information necessary for successfully filing complaints;
PM-26c.
Tracking mechanisms to ensure all complaints received are reviewed and addressed within [Assignment: organization-defined time period];
PM-26d.
Acknowledgement of receipt of complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]; and
PM-26e.
Response to complaints, concerns, or questions from individuals within [Assignment: organization-defined time period].
Assessment Procedures
Related Controls
  1. IR-7 - Incident Response Assistance
  2. IR-9 - Information Spillage Response
  3. PM-22 - Personally Identifiable Information Quality Management
  4. SI-18 - Personally Identifiable Information Quality Operations
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
PRIVACY REPORTING
RMF Control
PM-27
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. For federal agencies, privacy reports include annual senior agency official for privacy reports to OMB, reports to Congress required by Implementing Regulations of the 9/11 Commission Act, and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements.
Instructions
PM-27a.
Develop [Assignment: organization-defined privacy reports] and disseminate to:
PM-27b.
Review and update privacy reports [Assignment: organization-defined frequency].
Assessment Procedures
Related Controls
  1. IR-9 - Information Spillage Response
  2. PM-19 - Privacy Program Leadership Role
References
  1. Federal Information Security Modernization Act (P.L. 113-283), December 2014., "FISMA" https://www.congress.gov/113/plaws/publ283/PLAW-11
  2. Office of Management and Budget Memorandum Circular A-108, , December 2016., "OMB A-108" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
RISK FRAMING
RMF Control
PM-28
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
Risk framing is most effective when conducted at the organization level and in consultation with stakeholders throughout the organization including mission, business, and system owners. The assumptions, constraints, risk tolerance, priorities, and trade-offs identified as part of the risk framing process inform the risk management strategy, which in turn informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel, including mission and business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management.
Instructions
PM-28a.
Identify and document:
PM-28b.
Distribute the results of risk framing activities to [Assignment: organization-defined personnel]; and
PM-28c.
Review and update risk framing considerations [Assignment: organization-defined frequency].
Assessment Procedures
Related Controls
  1. CA-7 - Continuous Monitoring
  2. PM-9 - Risk Management Strategy
  3. RA-3 - Risk Assessment
  4. RA-7 - Risk Response
References
  1. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
RISK MANAGEMENT PROGRAM LEADERSHIP ROLES
RMF Control
PM-29
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED
Description
The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities.
Instructions
PM-29a.
Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and
PM-29b.
Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization.
Assessment Procedures
Related Controls
  1. PM-2 - Information Security Program Leadership Role
  2. PM-19 - Privacy Program Leadership Role
References
  1. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  2. Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1., "SP 800-181" https://doi.org/10.6028/NIST.SP.800-181r1
Enhancements
SUPPLY CHAIN RISK MANAGEMENT STRATEGY
RMF Control
PM-30
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED
Description
An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk appetite and tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of the security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform supply chain policies and system-level supply chain risk management plans. In addition, the use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organization and mission/business levels, whereas the supply chain risk management plan (see SR-2) is implemented at the system level.
Instructions
PM-30a.
Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;
Assessment Procedures
Related Controls
  1. CM-10 - Software Usage Restrictions
  2. PM-9 - Risk Management Strategy
  3. SR-1 - Policy And Procedures
  4. SR-2 - Supply Chain Risk Management Plan
  5. SR-3 - Supply Chain Controls And Processes
  6. SR-4 - Provenance
  7. SR-5 - Acquisition Strategies, Tools, And Methods
  8. SR-6 - Supplier Assessments And Reviews
  9. SR-7 - Supply Chain Operations Security
  10. SR-8 - Notification Agreements
  11. SR-9 - Tamper Resistance And Detection
  12. SR-11 - Component Authenticity
References
  1. 85 Federal Register 54263 (September 1, 2020), pp 54263-54271., "41 CFR 201" https://www.federalregister.gov/d/2020-18939
  2. Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161., "SP 800-161" https://doi.org/10.6028/NIST.SP.800-161
  3. Committee on National Security Systems Directive No. 505, , August 2017., "CNSSD 505" https://www.cnss.gov/CNSS/issuances/Directives.cfm
  4. Executive Order 13873, , May 2019., "EO 13873" https://www.whitehouse.gov/presidential-actions/ex
  5. International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, , February 2018., "ISO 20243" https://www.iso.org/standard/74399.html
  6. International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, , April 2014., "ISO 27036" https://www.iso.org/standard/59648.html
  7. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  8. Office of Management and Budget Memorandum M-17-06, , November 2016., "OMB M-17-06" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  9. Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272., "IR 8272" https://doi.org/10.6028/NIST.IR.8272
  10. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
  11. Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018., "FASC18" https://www.congress.gov/bill/115th-congress/senat
Enhancements
PM-30(1) - Suppliers Of Critical Or Mission-Essential Items
Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services.
CONTINUOUS MONITORING STRATEGY
RMF Control
PM-31
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective, timely, and informed risk management decisions, including ongoing authorization decisions. To further facilitate security and privacy risk management, organizations consider aligning organization-defined monitoring metrics with organizational risk tolerance as defined in the risk management strategy. Monitoring requirements, including the need for monitoring, may be referenced in other controls and control enhancements such as, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b, SI-4.
Instructions
Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:
PM-31a.
Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics];
PM-31b.
Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;
PM-31c.
Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;
PM-31d.
Correlation and analysis of information generated by control assessments and monitoring;
PM-31e.
Response actions to address results of the analysis of control assessment and monitoring information; and
PM-31f.
Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
Assessment Procedures
Related Controls
  1. AC-2 - Account Management
  2. AC-6 - Least Privilege
  3. AC-17 - Remote Access
  4. AT-4 - Training Records
  5. AU-6 - Audit Record Review, Analysis, And Reporting
  6. AU-13 - Monitoring For Information Disclosure
  7. CA-2 - Control Assessments
  8. CA-5 - Plan Of Action And Milestones
  9. CA-6 - Authorization
  10. CA-7 - Continuous Monitoring
  11. CM-3 - Configuration Change Control
  12. CM-4 - Impact Analyses
  13. CM-6 - Configuration Settings
  14. CM-11 - User-Installed Software
  15. IA-5 - Authenticator Management
  16. IR-5 - Incident Monitoring
  17. MA-2 - Controlled Maintenance
  18. MA-3 - Maintenance Tools
  19. MA-4 - Nonlocal Maintenance
  20. PE-3 - Physical Access Control
  21. PE-6 - Monitoring Physical Access
  22. PE-14 - Environmental Controls
  23. PE-16 - Delivery And Removal
  24. PE-20 - Asset Monitoring And Tracking
  25. PL-2 - System Security And Privacy Plans
  26. PM-4 - Plan Of Action And Milestones Process
  27. PM-6 - Measures Of Performance
  28. PM-9 - Risk Management Strategy
  29. PM-10 - Authorization Process
  30. PM-12 - Insider Threat Program
  31. PM-14 - Testing, Training, And Monitoring
  32. PM-23 - Data Governance Body
  33. PM-28 - Risk Framing
  34. PS-7 - External Personnel Security
  35. PT-7 - Specific Categories Of Personally Identifiable Information
  36. RA-3 - Risk Assessment
  37. RA-5 - Vulnerability Monitoring And Scanning
  38. RA-7 - Risk Response
  39. SA-9 - External System Services
  40. SA-11 - Developer Testing And Evaluation
  41. SC-5 - Denial-Of-Service Protection
  42. SC-7 - Boundary Protection
  43. SC-18 - Mobile Code
  44. SC-38 - Operations Security
  45. SC-43 - Usage Restrictions
  46. SI-3 - Malicious Code Protection
  47. SI-4 - System Monitoring
  48. SI-12 - Information Management And Retention
  49. SR-2 - Supply Chain Risk Management Plan
  50. SR-4 - Provenance
References
  1. Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A., "SP 800-137A" https://doi.org/10.6028/NIST.SP.800-137A
  2. Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137., "SP 800-137" https://doi.org/10.6028/NIST.SP.800-137
  3. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  4. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
Enhancements
PURPOSING
RMF Control
PM-32
Subject Area
PROGRAM MANAGEMENT
Baseline Areas
NOT SELECTED
Description
Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside of the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are more vulnerable to compromise, which can ultimately impact the services and functions for which they were intended. This is especially impactful for mission-essential services and functions. By analyzing resource use, organizations can identify such potential exposures.
Instructions
Analyze [Assignment: organization-defined systems or systems components] supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.
Assessment Procedures
Related Controls
  1. CA-7 - Continuous Monitoring
  2. PL-2 - System Security And Privacy Plans
  3. RA-3 - Risk Assessment
  4. RA-9 - Criticality Analysis
References
  1. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
  2. Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2., "SP 800-160-2" https://doi.org/10.6028/NIST.SP.800-160v2
Enhancements
POLICY AND PROCEDURES
RMF Control
PS-1
Subject Area
PERSONNEL SECURITY
Baseline Areas
LOW, MODERATE, HIGH
Description
Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
PS-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
PS-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and
PS-1c.
Review and update the current personnel security:
Assessment Procedures
PS-1.1 - CCI-003017
The organization defines the personnel or roles to whom a personnel security policy is disseminated.
PS-1.2 - CCI-003018
The organization defines the personnel or roles to whom the personnel security procedures are disseminated.
PS-1.3 - CCI-001504
The organization develops and documents a personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
PS-1.4 - CCI-001505
The organization disseminates a personnel security policy to organization-defined personnel or roles.
PS-1.6 - CCI-001509
The organization develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls.
PS-1.5 - CCI-001510
The organization disseminates personnel security procedures to organization-defined personnel or roles.
PS-1.8 - CCI-001507
The organization defines the frequency to review and update the current personnel security policy.
PS-1.7 - CCI-001506
The organization reviews and updates the current personnel security policy in accordance with organization-defined frequency.
PS-1.10 - CCI-001508
The organization defines the frequency to review and update the current personnel security procedures.
PS-1.9 - CCI-001511
The organization reviews and updates the current personnel security procedures in accordance with organization-defined frequency.
Related Controls
  1. PM-9 - Risk Management Strategy
  2. PS-8 - Personnel Sanctions
  3. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  3. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  4. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
Enhancements
POSITION RISK DESIGNATION
RMF Control
PS-2
Subject Area
PERSONNEL SECURITY
Baseline Areas
LOW, MODERATE, HIGH
Description
Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.
Instructions
PS-2a.
Assign a risk designation to all organizational positions;
PS-2b.
Establish screening criteria for individuals filling those positions; and
PS-2c.
Review and update position risk designations [Assignment: organization-defined frequency].
Assessment Procedures
PS-2.1 - CCI-001512
The organization assigns a risk designation to all organizational positions.
PS-2.2 - CCI-001513
The organization establishes screening criteria for individuals filling organizational positions.
PS-2.3 - CCI-001514
The organization reviews and updates position risk designations in accordance with organization-defined frequency.
PS-2.4 - CCI-001515
The organization defines the frequency to review and update position risk designations.
Related Controls
  1. AC-5 - Separation Of Duties
  2. AT-3 - Role-Based Training
  3. PE-2 - Physical Access Authorizations
  4. PE-3 - Physical Access Control
  5. PL-2 - System Security And Privacy Plans
  6. PS-3 - Personnel Screening
  7. PS-6 - Access Agreements
  8. SA-5 - System Documentation
  9. SA-21 - Developer Screening
  10. SI-12 - Information Management And Retention
References
  1. Code of Federal Regulations, Title 5, , Section 731.106, (5 C.F.R. 731.106)., "5 CFR 731" https://www.govinfo.gov/content/pkg/CFR-2012-title
  2. Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1., "SP 800-181" https://doi.org/10.6028/NIST.SP.800-181r1
Enhancements
PERSONNEL SCREENING
RMF Control
PS-3
Subject Area
PERSONNEL SECURITY
Baseline Areas
LOW, MODERATE, HIGH
Description
Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.
Instructions
PS-3a.
Screen individuals prior to authorizing access to the system; and
PS-3b.
Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening].
Assessment Procedures
PS-3.1 - CCI-001516
The organization screens individuals prior to authorizing access to the information system.
PS-3.2 - CCI-001517
The organization rescreens individuals with authorized access to the information system according to organization-defined conditions requiring rescreening, and where rescreening is so indicated, the organization-defined frequency of such rescreening.
PS-3.3 - CCI-001518
The organization defines the conditions requiring rescreening of individuals with authorized access to the information system.
PS-3.4 - CCI-001519
The organization defines the frequency for rescreening individuals with authorized access to the information system when organization-defined conditions requiring rescreening are met.
Related Controls
  1. AC-2 - Account Management
  2. IA-4 - Identifier Management
  3. MA-5 - Maintenance Personnel
  4. PE-2 - Physical Access Authorizations
  5. PM-12 - Insider Threat Program
  6. PS-2 - Position Risk Designation
  7. PS-6 - Access Agreements
  8. PS-7 - External Personnel Security
  9. SA-21 - Developer Screening
References
  1. Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016., "SP 800-73-4" https://doi.org/10.6028/NIST.SP.800-73-4
  2. Executive Order 13526, , December 2009., "EO 13526" https://www.archives.gov/isoo/policy-documents/cns
  3. Executive Order 13587, , October 2011., "EO 13587" https://obamawhitehouse.archives.gov/the-press-off
  4. Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2., "SP 800-76-2" https://doi.org/10.6028/NIST.SP.800-76-2
  5. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  6. National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2., "FIPS 201-2" https://doi.org/10.6028/NIST.FIPS.201-2
  7. Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4., "SP 800-78-4" https://doi.org/10.6028/NIST.SP.800-78-4
  8. Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1., "SP 800-60-1" https://doi.org/10.6028/NIST.SP.800-60v1r1
  9. Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1., "SP 800-60-2" https://doi.org/10.6028/NIST.SP.800-60v2r1
Enhancements
PS-3(1) - Classified Information
Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.
PS-3(2) - Formal Indoctrination
Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system.
PS-3(3) - Information Requiring Special Protective Measures
Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection:
PS-3(4) - Citizenship Requirements
Verify that individuals accessing a system processing, storing, or transmitting [Assignment: organization-defined information types] meet [Assignment: organization-defined citizenship requirements].
PERSONNEL TERMINATION
RMF Control
PS-4
Subject Area
PERSONNEL SECURITY
Baseline Areas
LOW, MODERATE, HIGH
Description
System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified.
Instructions
Upon termination of individual employment:
PS-4a.
Disable system access within [Assignment: organization-defined time period];
PS-4b.
Terminate or revoke any authenticators and credentials associated with the individual;
PS-4c.
Conduct exit interviews that include a discussion of [Assignment: organization-defined information security topics];
PS-4d.
Retrieve all security-related organizational system-related property; and
PS-4e.
Retain access to organizational information and systems formerly controlled by terminated individual.
Assessment Procedures
PS-4.2 - CCI-003022
The organization defines the time period to disable information system access upon termination of individual employment.
PS-4.1 - CCI-001522
The organization, upon termination of individual employment, disables information system access within organization-defined time period.
PS-4.3 - CCI-003023
The organization, upon termination of individual employment, terminates/revokes any authenticators/credentials associated with the individual.
PS-4.5 - CCI-003024
The organization defines information security topics to be discussed while conducting exit interviews.
PS-4.4 - CCI-001523
The organization, upon termination of individual employment, conducts exit interviews that include a discussion of organization-defined information security topics.
PS-4.6 - CCI-001524
The organization, upon termination of individual employment, retrieves all security-related organizational information systems-related property.
PS-4.7 - CCI-001525
The organization, upon termination of individual employment, retains access to organizational information formerly controlled by terminated individual.
PS-4.8 - CCI-001526
The organization, upon termination of individual employment, retains access to organizational information systems formerly controlled by terminated individual.
PS-4.10 - CCI-003025
The organization defines personnel or roles to notify upon termination of individual employment.
PS-4.11 - CCI-003026
The organization defines the time period in which to notify organization-defined personnel or roles upon termination of individual employment.
PS-4.9 - CCI-003016
The organization, upon termination of individual employment, notifies organization-defined personnel or roles within an organization-defined time period.
Related Controls
  1. AC-2 - Account Management
  2. IA-4 - Identifier Management
  3. PE-2 - Physical Access Authorizations
  4. PM-12 - Insider Threat Program
  5. PS-6 - Access Agreements
  6. PS-7 - External Personnel Security
References
Enhancements
PS-4(1) - Post-Employment Requirements
PS-4(2) - Automated Actions
Use [Assignment: organization-defined automated mechanisms] to [Selection (one or more): notify [Assignment: organization-defined personnel or roles] of individual termination actions; disable access to system resources].
PERSONNEL TRANSFER
RMF Control
PS-5
Subject Area
PERSONNEL SECURITY
Baseline Areas
LOW, MODERATE, HIGH
Description
Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.
Instructions
PS-5a.
Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;
PS-5b.
Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
PS-5c.
Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
PS-5d.
Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].
Assessment Procedures
PS-5.1 - CCI-001527
The organization reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization.
PS-5.2 - CCI-001528
The organization initiates organization-defined transfer or reassignment actions within an organization-defined time period following the formal personnel transfer action.
PS-5.3 - CCI-001529
The organization defines transfer or reassignment actions to initiate within an organization-defined time period following the formal personnel transfer action.
PS-5.4 - CCI-001530
The organization defines the time period within which the organization initiates organization-defined transfer or reassignment actions, following the formal personnel transfer action.
PS-5.5 - CCI-003031
The organization modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer.
PS-5.6 - CCI-003032
The organization notifies organization-defined personnel or roles within an organization-defined time period when individuals are transferred or reassigned to other positions within the organization.
PS-5.7 - CCI-003033
The organization defines personnel or roles to be notified when individuals are transferred or reassigned to other positions within the organization.
PS-5.8 - CCI-003034
The organization defines the time period within which organization-defined personnel or roles are to be notified when individuals are transferred or reassigned to other positions within the organization.
Related Controls
  1. AC-2 - Account Management
  2. IA-4 - Identifier Management
  3. PE-2 - Physical Access Authorizations
  4. PM-12 - Insider Threat Program
  5. PS-4 - Personnel Termination
  6. PS-7 - External Personnel Security
References
Enhancements
ACCESS AGREEMENTS
RMF Control
PS-6
Subject Area
PERSONNEL SECURITY
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.
Instructions
PS-6a.
Develop and document access agreements for organizational systems;
PS-6b.
Review and update the access agreements [Assignment: organization-defined frequency]; and
PS-6c.
Verify that individuals requiring access to organizational information and systems:
Assessment Procedures
PS-6.1 - CCI-003035
The organization develops and documents access agreements for organizational information systems.
PS-6.3 - CCI-001533
The organization defines the frequency to review and update the access agreements.
PS-6.2 - CCI-001532
The organization reviews and updates the access agreements in accordance with organization-defined frequency.
PS-6.4 - CCI-001531
The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.
PS-6.6 - CCI-003037
The organization defines the frequency for individuals requiring access to organization information and information systems to re-sign access agreements.
PS-6.5 - CCI-003036
The organization ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or in accordance with organization-defined frequency.
Related Controls
  1. AC-17 - Remote Access
  2. PE-2 - Physical Access Authorizations
  3. PL-4 - Rules Of Behavior
  4. PS-2 - Position Risk Designation
  5. PS-3 - Personnel Screening
  6. PS-6 - Access Agreements
  7. PS-7 - External Personnel Security
  8. PS-8 - Personnel Sanctions
  9. SA-21 - Developer Screening
  10. SI-12 - Information Management And Retention
References
Enhancements
PS-6(1) - Information Requiring Special Protection
[Withdrawn: Incorporated into PS-3].
PS-6(2) - Classified Information Requiring Special Protection
Verify that access to classified information requiring special protection is granted only to individuals who:
PS-6(3) - Post-Employment Requirements
EXTERNAL PERSONNEL SECURITY
RMF Control
PS-7
Subject Area
PERSONNEL SECURITY
Baseline Areas
LOW, MODERATE, HIGH
Description
External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.
Instructions
PS-7a.
Establish personnel security requirements, including security roles and responsibilities for external providers;
PS-7b.
Require external providers to comply with personnel security policies and procedures established by the organization;
PS-7c.
Document personnel security requirements;
PS-7d.
Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [Assignment: organization-defined time period]; and
PS-7e.
Monitor provider compliance with personnel security requirements.
Assessment Procedures
PS-7.1 - CCI-001539
The organization establishes personnel security requirements including security roles and responsibilities for third-party providers.
PS-7.2 - CCI-003040
The organization requires third-party providers to comply with personnel security policies and procedures established by the organization.
PS-7.3 - CCI-001540
The organization documents personnel security requirements for third-party providers.
PS-7.5 - CCI-003042
The organization defines personnel or roles whom third-party providers are to notify when third-party personnel who possess organizational credentials and /or badges or who have information system privileges are transferred or terminated.
PS-7.6 - CCI-003043
The organization defines the time period for third-party providers to notify organization-defined personnel or roles when third-party personnel who possess organizational credentials and /or badges or who have information system privileges are transferred or terminated.
PS-7.4 - CCI-003041
The organization requires third-party providers to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within an organization-defined time period.
PS-7.7 - CCI-001541
The organization monitors third-party provider compliance with personnel security requirements.
Related Controls
  1. AT-2 - Literacy Training And Awareness
  2. AT-3 - Role-Based Training
  3. MA-5 - Maintenance Personnel
  4. PE-3 - Physical Access Control
  5. PS-2 - Position Risk Designation
  6. PS-3 - Personnel Screening
  7. PS-4 - Personnel Termination
  8. PS-5 - Personnel Transfer
  9. PS-6 - Access Agreements
  10. SA-5 - System Documentation
  11. SA-9 - External System Services
  12. SA-21 - Developer Screening
References
  1. Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35., "SP 800-35" https://doi.org/10.6028/NIST.SP.800-35
  2. Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020., "SP 800-63-3" https://doi.org/10.6028/NIST.SP.800-63-3
Enhancements
PERSONNEL SANCTIONS
RMF Control
PS-8
Subject Area
PERSONNEL SECURITY
Baseline Areas
LOW, MODERATE, HIGH
Description
Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.
Instructions
PS-8a.
Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and
PS-8b.
Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
Assessment Procedures
PS-8.1 - CCI-001542
The organization employs a formal sanctions process for individuals failing to comply with established information security policies and procedures.
PS-8.2 - CCI-003046
The organization defines the time period to notify organization-defined personnel or roles when a formal employee sanctions process is initiated.
PS-8.3 - CCI-003044
The organization notifies organization-defined personnel or roles within an organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
PS-8.4 - CCI-003045
The organization defines personnel or roles whom are to be notified when a formal employee sanctions process is initiated.
Related Controls
  1. PL-4 - Rules Of Behavior
  2. PM-12 - Insider Threat Program
  3. PS-6 - Access Agreements
  4. PT-1 - Policy And Procedures
References
Enhancements
POSITION DESCRIPTIONS
RMF Control
PS-9
Subject Area
PERSONNEL SECURITY
Baseline Areas
LOW, MODERATE, HIGH
Description
Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles.
Instructions
Incorporate security and privacy roles and responsibilities into organizational position descriptions.
Assessment Procedures
Related Controls
References
  1. Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1., "SP 800-181" https://doi.org/10.6028/NIST.SP.800-181r1
Enhancements
POLICY AND PROCEDURES
RMF Control
PT-1
Subject Area
PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
Baseline Areas
NOT SELECTED, PRIVACY
Description
Personally identifiable information processing and transparency policy and procedures address the controls in the PT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of personally identifiable information processing and transparency policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personally identifiable information processing and transparency policy and procedures include assessment or audit findings, breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
PT-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
PT-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and
PT-1c.
Review and update the current personally identifiable information processing and transparency:
Assessment Procedures
Related Controls
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION
RMF Control
PT-2
Subject Area
PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
Baseline Areas
NOT SELECTED, PRIVACY
Description
The processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information across the information life cycle. Processing includes but is not limited to creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining. Organizations may be subject to laws, executive orders, directives, regulations, or policies that establish the organization’s authority and thereby limit certain types of processing of personally identifiable information or establish other requirements related to the processing. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such authority, particularly if the organization is subject to multiple jurisdictions or sources of authority. For organizations whose processing is not determined according to legal authorities, the organization’s policies and determinations govern how they process personally identifiable information. While processing of personally identifiable information may be legally permissible, privacy risks may still arise. Privacy risk assessments can identify the privacy risks associated with the authorized processing of personally identifiable information and support solutions to manage such risks. Organizations consider applicable requirements and organizational policies to determine how to document this authority. For federal agencies, the authority to process personally identifiable information is documented in privacy policies and notices, system of records notices, privacy impact assessments, PRIVACT statements, computer matching agreements and notices, contracts, information sharing agreements, memoranda of understanding, and other documentation. Organizations take steps to ensure that personally identifiable information is only processed for authorized purposes, including training organizational personnel on the authorized processing of personally identifiable information and monitoring and auditing organizational use of personally identifiable information.
Instructions
PT-2a.
Determine and document the [Assignment: organization-defined authority] that permits the [Assignment: organization-defined processing] of personally identifiable information; and
PT-2b.
Restrict the [Assignment: organization-defined processing] of personally identifiable information to only that which is authorized.
Assessment Procedures
Related Controls
  1. AC-2 - Account Management
  2. AC-3 - Access Enforcement
  3. CM-13 - Data Action Mapping
  4. IR-9 - Information Spillage Response
  5. PM-9 - Risk Management Strategy
  6. PM-24 - Data Integrity Board
  7. PT-1 - Policy And Procedures
  8. PT-3 - Personally Identifiable Information Processing Purposes
  9. PT-5 - Privacy Notice
  10. PT-6 - System Of Records Notice
  11. RA-3 - Risk Assessment
  12. RA-8 - Privacy Impact Assessments
  13. SI-12 - Information Management And Retention
  14. SI-18 - Personally Identifiable Information Quality Operations
References
  1. Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112., "IR 8112" https://doi.org/10.6028/NIST.IR.8112
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
Enhancements
PT-2(1) - Data Tagging
Attach data tags containing [Assignment: organization-defined authorized processing] to [Assignment: organization-defined elements of personally identifiable information].
PT-2(2) - Automation
Manage enforcement of the authorized processing of personally identifiable information using [Assignment: organization-defined automated mechanisms].
PERSONALLY IDENTIFIABLE INFORMATION PROCESSING PURPOSES
RMF Control
PT-3
Subject Area
PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
Baseline Areas
NOT SELECTED, PRIVACY
Description
Identifying and documenting the purpose for processing provides organizations with a basis for understanding why personally identifiable information may be processed. The term process includes every step of the information life cycle, including creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Identifying and documenting the purpose of processing is a prerequisite to enabling owners and operators of the system and individuals whose information is processed by the system to understand how the information will be processed. This enables individuals to make informed decisions about their engagement with information systems and organizations and to manage their privacy interests. Once the specific processing purpose has been identified, the purpose is described in the organization’s privacy notices, policies, and any related privacy compliance documentation, including privacy impact assessments, system of records notices, PRIVACT statements, computer matching notices, and other applicable Federal Register notices. Organizations take steps to help ensure that personally identifiable information is processed only for identified purposes, including training organizational personnel and monitoring and auditing organizational processing of personally identifiable information. Organizations monitor for changes in personally identifiable information processing. Organizational personnel consult with the senior agency official for privacy and legal counsel to ensure that any new purposes that arise from changes in processing are compatible with the purpose for which the information was collected, or if the new purpose is not compatible, implement mechanisms in accordance with defined requirements to allow for the new processing, if appropriate. Mechanisms may include obtaining consent from individuals, revising privacy policies, or other measures to manage privacy risks that arise from changes in personally identifiable information processing purposes.
Instructions
PT-3a.
Identify and document the [Assignment: organization-defined purpose(s)] for processing personally identifiable information;
PT-3b.
Describe the purpose(s) in the public privacy notices and policies of the organization;
PT-3c.
Restrict the [Assignment: organization-defined processing] of personally identifiable information to only that which is compatible with the identified purpose(s); and
PT-3d.
Monitor changes in processing personally identifiable information and implement [Assignment: organization-defined mechanisms] to ensure that any changes are made in accordance with [Assignment: organization-defined requirements].
Assessment Procedures
Related Controls
  1. AC-2 - Account Management
  2. AC-3 - Access Enforcement
  3. AT-3 - Role-Based Training
  4. CM-13 - Data Action Mapping
  5. IR-9 - Information Spillage Response
  6. PM-9 - Risk Management Strategy
  7. PM-25 - Minimization Of Personally Identifiable Information Used In Testing, Training, And Research
  8. PT-2 - Authority To Process Personally Identifiable Information
  9. PT-5 - Privacy Notice
  10. PT-6 - System Of Records Notice
  11. PT-7 - Specific Categories Of Personally Identifiable Information
  12. RA-8 - Privacy Impact Assessments
  13. SC-43 - Usage Restrictions
  14. SI-12 - Information Management And Retention
  15. SI-18 - Personally Identifiable Information Quality Operations
References
  1. Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112., "IR 8112" https://doi.org/10.6028/NIST.IR.8112
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
Enhancements
PT-3(1) - Data Tagging
Attach data tags containing the following purposes to [Assignment: organization-defined elements of personally identifiable information]: [Assignment: organization-defined processing purposes].
PT-3(2) - Automation
Track processing purposes of personally identifiable information using [Assignment: organization-defined automated mechanisms].
CONSENT
RMF Control
PT-4
Subject Area
PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
Baseline Areas
NOT SELECTED, PRIVACY
Description
Consent allows individuals to participate in making decisions about the processing of their information and transfers some of the risk that arises from the processing of personally identifiable information from the organization to an individual. Consent may be required by applicable laws, executive orders, directives, regulations, policies, standards, or guidelines. Otherwise, when selecting consent as a control, organizations consider whether individuals can be reasonably expected to understand and accept the privacy risks that arise from their authorization. Organizations consider whether other controls may more effectively mitigate privacy risk either alone or in conjunction with consent. Organizations also consider any demographic or contextual factors that may influence the understanding or behavior of individuals with respect to the processing carried out by the system or organization. When soliciting consent from individuals, organizations consider the appropriate mechanism for obtaining consent, including the type of consent (e.g., opt-in, opt-out), how to properly authenticate and identity proof individuals and how to obtain consent through electronic means. In addition, organizations consider providing a mechanism for individuals to revoke consent once it has been provided, as appropriate. Finally, organizations consider usability factors to help individuals understand the risks being accepted when providing consent, including the use of plain language and avoiding technical jargon.
Instructions
Implement [Assignment: organization-defined tools or mechanisms] for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.
Assessment Procedures
Related Controls
  1. AC-16 - Security And Privacy Attributes
  2. PT-2 - Authority To Process Personally Identifiable Information
  3. PT-5 - Privacy Notice
References
  1. Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020., "SP 800-63-3" https://doi.org/10.6028/NIST.SP.800-63-3
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
Enhancements
PT-4(1) - Tailored Consent
Provide [Assignment: organization-defined mechanisms] to allow individuals to tailor processing permissions to selected elements of personally identifiable information.
PT-4(2) - Just-In-Time Consent
Present [Assignment: organization-defined consent mechanisms] to individuals at [Assignment: organization-defined frequency] and in conjunction with [Assignment: organization-defined personally identifiable information processing].
PT-4(3) - Revocation
Implement [Assignment: organization-defined tools or mechanisms] for individuals to revoke consent to the processing of their personally identifiable information.
PRIVACY NOTICE
RMF Control
PT-5
Subject Area
PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
Baseline Areas
NOT SELECTED, PRIVACY
Description
Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization. Organizations use privacy notices to inform individuals about how, under what authority, and for what purpose their personally identifiable information is processed, as well as other information such as choices individuals might have with respect to that processing and other parties with whom information is shared. Laws, executive orders, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices. Privacy risk assessments identify the privacy risks associated with the processing of personally identifiable information and may help organizations determine appropriate elements to include in a privacy notice to manage such risks. To help individuals understand how their information is being processed, organizations write materials in plain language and avoid technical jargon.
Instructions
Provide notice to individuals about the processing of personally identifiable information that:
PT-5a.
Is available to individuals upon first interacting with an organization, and subsequently at [Assignment: organization-defined frequency];
PT-5b.
Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language;
PT-5c.
Identifies the authority that authorizes the processing of personally identifiable information;
PT-5d.
Identifies the purposes for which personally identifiable information is to be processed; and
PT-5e.
Includes [Assignment: organization-defined information].
Assessment Procedures
Related Controls
  1. PM-20 - Dissemination Of Privacy Program Information
  2. PM-22 - Personally Identifiable Information Quality Management
  3. PT-2 - Authority To Process Personally Identifiable Information
  4. PT-3 - Personally Identifiable Information Processing Purposes
  5. PT-4 - Consent
  6. PT-7 - Specific Categories Of Personally Identifiable Information
  7. RA-3 - Risk Assessment
  8. SC-42 - Sensor Capability And Data
  9. SI-18 - Personally Identifiable Information Quality Operations
References
  1. Office of Management and Budget Memorandum Circular A-108, , December 2016., "OMB A-108" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
Enhancements
PT-5(1) - Just-In-Time Notice
Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action, or [Assignment: organization-defined frequency].
PT-5(2) - Privacy Act Statements
Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals.
SYSTEM OF RECORDS NOTICE
RMF Control
PT-6
Subject Area
PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
Baseline Areas
NOT SELECTED, PRIVACY
Description
The PRIVACT requires that federal agencies publish a system of records notice in the Federal Register upon the establishment and/or modification of a PRIVACT system of records. As a general matter, a system of records notice is required when an agency maintains a group of any records under the control of the agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier. The notice describes the existence and character of the system and identifies the system of records, the purpose(s) of the system, the authority for maintenance of the records, the categories of records maintained in the system, the categories of individuals about whom records are maintained, the routine uses to which the records are subject, and additional details about the system as described in OMB A-108.
Instructions
For systems that process information that will be maintained in a Privacy Act system of records:
PT-6a.
Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review;
PT-6b.
Publish system of records notices in the Federal Register; and
PT-6c.
Keep system of records notices accurate, up-to-date, and scoped in accordance with policy.
Assessment Procedures
Related Controls
  1. AC-3 - Access Enforcement
  2. PM-20 - Dissemination Of Privacy Program Information
  3. PT-2 - Authority To Process Personally Identifiable Information
  4. PT-3 - Personally Identifiable Information Processing Purposes
  5. PT-5 - Privacy Notice
References
  1. Office of Management and Budget Memorandum Circular A-108, , December 2016., "OMB A-108" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
Enhancements
PT-6(1) - Routine Uses
Review all routine uses published in the system of records notice at [Assignment: organization-defined frequency] to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.
PT-6(2) - Exemption Rules
Review all Privacy Act exemptions claimed for the system of records at [Assignment: organization-defined frequency] to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice.
SPECIFIC CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION
RMF Control
PT-7
Subject Area
PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
Baseline Areas
NOT SELECTED, PRIVACY
Description
Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, directives, regulations, policies, standards, or guidelines. The requirements may also come from the results of privacy risk assessments that factor in contextual changes that may result in an organizational determination that a particular category of personally identifiable information is particularly sensitive or raises particular privacy risks. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary.
Instructions
Apply [Assignment: organization-defined processing conditions] for specific categories of personally identifiable information.
Assessment Procedures
Related Controls
  1. IR-9 - Information Spillage Response
  2. PT-2 - Authority To Process Personally Identifiable Information
  3. PT-3 - Personally Identifiable Information Processing Purposes
  4. RA-3 - Risk Assessment
References
  1. National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry., "NARA CUI" https://www.archives.gov/cui
  2. Office of Management and Budget Memorandum Circular A-108, , December 2016., "OMB A-108" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  4. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
Enhancements
PT-7(1) - Social Security Numbers
When a system processes Social Security numbers:
PT-7(2) - First Amendment Information
Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.
COMPUTER MATCHING REQUIREMENTS
RMF Control
PT-8
Subject Area
PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
Baseline Areas
NOT SELECTED, PRIVACY
Description
The PRIVACT establishes requirements for federal and non-federal agencies if they engage in a matching program. In general, a matching program is a computerized comparison of records from two or more automated PRIVACT systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to federal benefit programs or federal personnel or payroll records. A federal benefit match is performed to determine or verify eligibility for payments under federal benefit programs or to recoup payments or delinquent debts under federal benefit programs. A matching program involves not just the matching activity itself but also the investigative follow-up and ultimate action, if any.
Instructions
When a system or organization processes information for the purpose of conducting a matching program:
PT-8a.
Obtain approval from the Data Integrity Board to conduct the matching program;
PT-8b.
Develop and enter into a computer matching agreement;
PT-8c.
Publish a matching notice in the Federal Register;
PT-8d.
Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and
PT-8e.
Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual.
Assessment Procedures
Related Controls
  1. PM-24 - Data Integrity Board
References
  1. Computer Matching and Privacy Protection Act of 1988 (P.L. 100-503), October 1988., "CMPPA" https://www.govinfo.gov/content/pkg/STATUTE-102/pd
  2. Office of Management and Budget Memorandum Circular A-108, , December 2016., "OMB A-108" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  4. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
Enhancements
POLICY AND PROCEDURES
RMF Control
RA-1
Subject Area
RISK ASSESSMENT
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
RA-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
RA-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and
RA-1c.
Review and update the current risk assessment:
Assessment Procedures
RA-1.1 - CCI-002368
The organization defines the personnel or roles to whom the risk assessment policy is disseminated.
RA-1.2 - CCI-002369
The organization defines the personnel or roles to whom the risk assessment procedures are disseminated.
RA-1.3 - CCI-001037
The organization develops and documents a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
RA-1.4 - CCI-001038
The organization disseminates a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to organization-defined personnel or roles.
RA-1.5 - CCI-001041
The organization develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls.
RA-1.6 - CCI-001042
The organization disseminates risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls to organization-defined personnel or roles.
RA-1.7 - CCI-001039
The organization reviews and updates the current risk assessment policy in accordance with organization-defined frequency.
RA-1.8 - CCI-001040
The organization defines the frequency to review and update the current risk assessment policy.
RA-1.9 - CCI-001043
The organization reviews and updates the current risk assessment procedures in accordance with organization-defined frequency.
RA-1.10 - CCI-001044
The organization defines the frequency to review and update the current risk assessment procedures.
Related Controls
  1. PM-9 - Risk Management Strategy
  2. PS-8 - Personnel Sanctions
  3. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  3. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  4. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
  5. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
SECURITY CATEGORIZATION
RMF Control
RA-2
Subject Area
RISK ASSESSMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. CNSSI 1253 provides additional guidance on categorization for national security systems. Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with USA PATRIOT and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes facilitate the development of inventories of information assets and, along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant.
Instructions
RA-2a.
Categorize the system and information it processes, stores, and transmits;
RA-2b.
Document the security categorization results, including supporting rationale, in the security plan for the system; and
RA-2c.
Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
Assessment Procedures
RA-2.1 - CCI-001045
The organization categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
RA-2.2 - CCI-001046
The organization documents the security categorization results (including supporting rationale) in the security plan for the information system.
RA-2.3 - CCI-001047
The organization ensures the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.
Related Controls
  1. CM-8 - System Component Inventory
  2. MP-4 - Media Storage
  3. PL-2 - System Security And Privacy Plans
  4. PL-10 - Baseline Selection
  5. PL-11 - Baseline Tailoring
  6. PM-7 - Enterprise Architecture
  7. RA-3 - Risk Assessment
  8. RA-5 - Vulnerability Monitoring And Scanning
  9. RA-7 - Risk Response
  10. RA-8 - Privacy Impact Assessments
  11. SA-8 - Security And Privacy Engineering Principles
  12. SC-7 - Boundary Protection
  13. SC-38 - Operations Security
  14. SI-12 - Information Management And Retention
References
  1. Committee on National Security Systems Instruction No. 1253, , March 2014., "CNSSI 1253" https://www.cnss.gov/CNSS/issuances/Instructions.c
  2. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  3. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  4. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  5. National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry., "NARA CUI" https://www.archives.gov/cui
  6. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  7. National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200., "FIPS 200" https://doi.org/10.6028/NIST.FIPS.200
  8. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
  9. Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1., "SP 800-60-1" https://doi.org/10.6028/NIST.SP.800-60v1r1
  10. Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1., "SP 800-60-2" https://doi.org/10.6028/NIST.SP.800-60v2r1
Enhancements
RA-2(1) - Impact-Level Prioritization
Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels.
RISK ASSESSMENT
RMF Control
RA-3
Subject Area
RISK ASSESSMENT
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities. Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle. Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.
Instructions
RA-3a.
Conduct a risk assessment, including:
RA-3b.
Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;
RA-3c.
Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]];
RA-3d.
Review risk assessment results [Assignment: organization-defined frequency];
RA-3e.
Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and
RA-3f.
Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.
Assessment Procedures
RA-3.1 - CCI-001048
The organization conducts an assessment of risk of the information system and the information it processes, stores, or transmits that includes the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction.
RA-3.3 - CCI-001642
The organization defines the organizational document in which risk assessment results are documented (e.g., security plan, risk assessment report).
RA-3.2 - CCI-001049
The organization documents risk assessment results in the organization-defined document.
RA-3.4 - CCI-001050
The organization reviews risk assessment results on an organization-defined frequency.
RA-3.5 - CCI-001051
The organization defines a frequency for reviewing risk assessment results.
RA-3.7 - CCI-002371
The organization defines the personnel or roles whom the risk assessment results will be disseminated.
RA-3.6 - CCI-002370
The organization disseminates risk assessment results to organization-defined personnel or roles.
RA-3.8 - CCI-001052
The organization updates the risk assessment on an organization-defined frequency or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
RA-3.9 - CCI-001053
The organization defines a frequency for updating the risk assessment.
Related Controls
  1. CA-3 - Information Exchange
  2. CA-6 - Authorization
  3. CM-4 - Impact Analyses
  4. CM-13 - Data Action Mapping
  5. CP-6 - Alternate Storage Site
  6. CP-7 - Alternate Processing Site
  7. IA-8 - Identification And Authentication (Non-Organizational Users)
  8. MA-5 - Maintenance Personnel
  9. PE-3 - Physical Access Control
  10. PE-8 - Visitor Access Records
  11. PE-18 - Location Of System Components
  12. PL-2 - System Security And Privacy Plans
  13. PL-10 - Baseline Selection
  14. PL-11 - Baseline Tailoring
  15. PM-8 - Critical Infrastructure Plan
  16. PM-9 - Risk Management Strategy
  17. PM-28 - Risk Framing
  18. PT-2 - Authority To Process Personally Identifiable Information
  19. PT-7 - Specific Categories Of Personally Identifiable Information
  20. RA-2 - Security Categorization
  21. RA-5 - Vulnerability Monitoring And Scanning
  22. RA-7 - Risk Response
  23. SA-8 - Security And Privacy Engineering Principles
  24. SA-9 - External System Services
  25. SC-38 - Operations Security
  26. SI-12 - Information Management And Retention
References
  1. Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161., "SP 800-161" https://doi.org/10.6028/NIST.SP.800-161
  2. Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062., "IR 8062" https://doi.org/10.6028/NIST.IR.8062
  3. Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023., "IR 8023" https://doi.org/10.6028/NIST.IR.8023
  4. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  5. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  6. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  7. Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272., "IR 8272" https://doi.org/10.6028/NIST.IR.8272
Enhancements
RA-3(1) - Supply Chain Risk Assessment
RA-3(2) - Use Of All-Source Intelligence
Use all-source intelligence to assist in the analysis of risk.
RA-3(3) - Dynamic Threat Awareness
Determine the current cyber threat environment on an ongoing basis using [Assignment: organization-defined means].
RA-3(4) - Predictive Cyber Analytics
Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities].
RISK ASSESSMENT UPDATE
RMF Control
RA-4
Subject Area
RISK ASSESSMENT
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into RA-3].
Assessment Procedures
Related Controls
References
Enhancements
VULNERABILITY MONITORING AND SCANNING
RMF Control
RA-5
Subject Area
RISK ASSESSMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers. Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation. Organizations may also employ the use of financial incentives (also known as bug bounties) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.
Instructions
RA-5a.
Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;
RA-5b.
Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
RA-5c.
Analyze vulnerability scan reports and results from vulnerability monitoring;
RA-5d.
Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk;
RA-5e.
Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and
RA-5f.
Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
Assessment Procedures
RA-5.2 - CCI-001055
The organization defines a frequency for scanning for vulnerabilities in the information system and hosted applications.
RA-5.1 - CCI-001054
The organization scans for vulnerabilities in the information system and hosted applications on an organization-defined frequency.
RA-5.3 - CCI-001056
The organization scans for vulnerabilities in the information system and hosted applications when new vulnerabilities potentially affecting the system/applications are identified and reported.
RA-5.4 - CCI-001641
The organization defines the process for conducting random vulnerability scans on the information system and hosted applications.
RA-5.5 - CCI-001643
The organization scans for vulnerabilities in the information system and hosted applications in accordance with the organization-defined process for random scans.
RA-5.6 - CCI-001057
The organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: enumerating platforms, software flaws, and improper configurations; formatting checklists and test procedures; and measuring vulnerability impact.
RA-5.7 - CCI-001058
The organization analyzes vulnerability scan reports and results from security control assessments.
RA-5.8 - CCI-001059
The organization remediates legitimate vulnerabilities in organization-defined response times in accordance with an organizational assessment risk.
RA-5.9 - CCI-001060
The organization defines response times for remediating legitimate vulnerabilities in accordance with an organization assessment of risk.
RA-5.11 - CCI-002376
The organization defines the personnel or roles whom the information obtained from the vulnerability scanning process and security control assessments will be shared.
RA-5.10 - CCI-001061
The organization shares information obtained from the vulnerability scanning process and security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
Related Controls
  1. CA-2 - Control Assessments
  2. CA-7 - Continuous Monitoring
  3. CA-8 - Penetration Testing
  4. CM-2 - Baseline Configuration
  5. CM-4 - Impact Analyses
  6. CM-6 - Configuration Settings
  7. CM-8 - System Component Inventory
  8. RA-2 - Security Categorization
  9. RA-3 - Risk Assessment
  10. SA-11 - Developer Testing And Evaluation
  11. SA-15 - Development Process, Standards, And Tools
  12. SC-38 - Operations Security
  13. SI-2 - Flaw Remediation
  14. SI-3 - Malicious Code Protection
  15. SI-4 - System Monitoring
  16. SI-7 - Software, Firmware, And Information Integrity
  17. SR-11 - Component Authenticity
References
  1. Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023., "IR 8023" https://doi.org/10.6028/NIST.IR.8023
  2. Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4., "IR 8011-4" https://doi.org/10.6028/NIST.IR.8011-4
  3. International Organization for Standardization/International Electrotechnical Commission 29147:2018, , October 2018., "ISO 29147" https://www.iso.org/standard/72311.html
  4. Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014., "SP 800-53A" https://doi.org/10.6028/NIST.SP.800-53Ar4
  5. Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4., "SP 800-70" https://doi.org/10.6028/NIST.SP.800-70r4
  6. Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115., "SP 800-115" https://doi.org/10.6028/NIST.SP.800-115
  7. Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788., "IR 7788" https://doi.org/10.6028/NIST.IR.7788
  8. Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3., "SP 800-40" https://doi.org/10.6028/NIST.SP.800-40r3
  9. Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3., "SP 800-126" https://doi.org/10.6028/NIST.SP.800-126r3
Enhancements
RA-5(1) - Update Tool Capability
[Withdrawn: Incorporated into RA-5].
RA-5(2) - Update Vulnerabilities To Be Scanned
Update the system vulnerabilities to be scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].
RA-5(3) - Breadth And Depth Of Coverage
Define the breadth and depth of vulnerability scanning coverage.
RA-5(4) - Discoverable Information
Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions].
RA-5(5) - Privileged Access
Implement privileged access authorization to [Assignment: organization-defined system components] for [Assignment: organization-defined vulnerability scanning activities].
RA-5(6) - Automated Trend Analyses
Compare the results of multiple vulnerability scans using [Assignment: organization-defined automated mechanisms].
RA-5(7) - Automated Detection And Notification Of Unauthorized Components
[Withdrawn: Incorporated into CM-8].
RA-5(8) - Review Historic Audit Logs
Review historic audit logs to determine if a vulnerability identified in a [Assignment: organization-defined system] has been previously exploited within an [Assignment: organization-defined time period].
RA-5(9) - Penetration Testing And Analyses
[Withdrawn: Incorporated into CA-8].
RA-5(10) - Correlate Scanning Information
Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors.
RA-5(11) - Public Disclosure Program
Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.
TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY
RMF Control
RA-6
Subject Area
RISK ASSESSMENT
Baseline Areas
NOT SELECTED
Description
A technical surveillance countermeasures survey is a service provided by qualified personnel to detect the presence of technical surveillance devices and hazards and to identify technical security weaknesses that could be used in the conduct of a technical penetration of the surveyed facility. Technical surveillance countermeasures surveys also provide evaluations of the technical security posture of organizations and facilities and include visual, electronic, and physical examinations of surveyed facilities, internally and externally. The surveys also provide useful input for risk assessments and information regarding organizational exposure to potential adversaries.
Instructions
Employ a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency]; when the following events or indicators occur: [Assignment: organization-defined events or indicators]].
Assessment Procedures
RA-6.1 - CCI-003119
The organization employs a technical surveillance countermeasures survey at organization-defined locations on an organization-defined frequency or when organization-defined events or indicators occur.
RA-6.2 - CCI-003120
The organization defines the locations where technical surveillance countermeasures surveys are to be employed.
RA-6.3 - CCI-003121
The organization defines the frequency on which to employ technical surveillance countermeasures surveys.
RA-6.4 - CCI-003122
The organization defines the events or indicators upon which technical surveillance countermeasures surveys are to be employed.
Related Controls
References
Enhancements
RISK RESPONSE
RMF Control
RA-7
Subject Area
RISK ASSESSMENT
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated.
Instructions
Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.
Assessment Procedures
Related Controls
  1. CA-5 - Plan Of Action And Milestones
  2. IR-9 - Information Spillage Response
  3. PM-4 - Plan Of Action And Milestones Process
  4. PM-28 - Risk Framing
  5. RA-2 - Security Categorization
  6. RA-3 - Risk Assessment
  7. SR-2 - Supply Chain Risk Management Plan
References
  1. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  2. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  3. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  4. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  5. National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200., "FIPS 200" https://doi.org/10.6028/NIST.FIPS.200
  6. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
Enhancements
PRIVACY IMPACT ASSESSMENTS
RMF Control
RA-8
Subject Area
RISK ASSESSMENT
Baseline Areas
NOT SELECTED, PRIVACY
Description
A privacy impact assessment is an analysis of how personally identifiable information is handled to ensure that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity, and evaluate ways to mitigate privacy risks. A privacy impact assessment is both an analysis and a formal document that details the process and the outcome of the analysis. Organizations conduct and develop a privacy impact assessment with sufficient clarity and specificity to demonstrate that the organization fully considered privacy and incorporated appropriate privacy protections from the earliest stages of the organization’s activity and throughout the information life cycle. In order to conduct a meaningful privacy impact assessment, the organization’s senior agency official for privacy works closely with program managers, system owners, information technology experts, security officials, counsel, and other relevant organization personnel. Moreover, a privacy impact assessment is not a time-restricted activity that is limited to a particular milestone or stage of the information system or personally identifiable information life cycles. Rather, the privacy analysis continues throughout the system and personally identifiable information life cycles. Accordingly, a privacy impact assessment is a living document that organizations update whenever changes to the information technology, changes to the organization’s practices, or other factors alter the privacy risks associated with the use of such information technology. To conduct the privacy impact assessment, organizations can use security and privacy risk assessments. Organizations may also use other related processes that may have different names, including privacy threshold analyses. A privacy impact assessment can also serve as notice to the public regarding the organization’s practices with respect to privacy. Although conducting and publishing privacy impact assessments may be required by law, organizations may develop such policies in the absence of applicable laws. For federal agencies, privacy impact assessments may be required by EGOV; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.
Instructions
Conduct privacy impact assessments for systems, programs, or other activities before:
RA-8a.
Developing or procuring information technology that processes personally identifiable information; and
RA-8b.
Initiating a new collection of personally identifiable information that:
Assessment Procedures
Related Controls
  1. CM-4 - Impact Analyses
  2. CM-9 - Configuration Management Plan
  3. CM-13 - Data Action Mapping
  4. PT-2 - Authority To Process Personally Identifiable Information
  5. PT-3 - Personally Identifiable Information Processing Purposes
  6. PT-5 - Privacy Notice
  7. RA-1 - Policy And Procedures
  8. RA-2 - Security Categorization
  9. RA-3 - Risk Assessment
  10. RA-7 - Risk Response
References
  1. E-Government Act [includes FISMA] (P.L. 107-347), December 2002. , "EGOV" https://www.congress.gov/107/plaws/publ347/PLAW-10
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Office of Management and Budget Memorandum M-03-22, , September 2003. , "OMB M-03-22" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
CRITICALITY ANALYSIS
RMF Control
RA-9
Subject Area
RISK ASSESSMENT
Baseline Areas
MODERATE, HIGH
Description
Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system. The operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions. Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.
Instructions
Identify critical system components and functions by performing a criticality analysis for [Assignment: organization-defined systems, system components, or system services] at [Assignment: organization-defined decision points in the system development life cycle].
Assessment Procedures
Related Controls
  1. CP-2 - Contingency Plan
  2. PL-2 - System Security And Privacy Plans
  3. PL-8 - Security And Privacy Architectures
  4. PL-11 - Baseline Tailoring
  5. PM-1 - Information Security Program Plan
  6. PM-11 - Mission And Business Process Definition
  7. RA-2 - Security Categorization
  8. SA-8 - Security And Privacy Engineering Principles
  9. SA-15 - Development Process, Standards, And Tools
  10. SA-20 - Customized Development Of Critical Components
  11. SR-5 - Acquisition Strategies, Tools, And Methods
References
  1. Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179., "IR 8179" https://doi.org/10.6028/NIST.IR.8179
Enhancements
THREAT HUNTING
RMF Control
RA-10
Subject Area
RISK ASSESSMENT
Baseline Areas
NOT SELECTED
Description
Threat hunting is an active means of cyber defense in contrast to traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code. Threat hunting teams leverage existing threat intelligence and may create new threat intelligence, which is shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies.
Instructions
RA-10a.
Establish and maintain a cyber threat hunting capability to:
RA-10b.
Employ the threat hunting capability [Assignment: organization-defined frequency].
Assessment Procedures
Related Controls
  1. CA-2 - Control Assessments
  2. CA-7 - Continuous Monitoring
  3. CA-8 - Penetration Testing
  4. RA-3 - Risk Assessment
  5. RA-5 - Vulnerability Monitoring And Scanning
  6. RA-6 - Technical Surveillance Countermeasures Survey
  7. SI-4 - System Monitoring
References
  1. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
Enhancements
POLICY AND PROCEDURES
RMF Control
SA-1
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
SA-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
SA-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and
SA-1c.
Review and update the current system and services acquisition:
Assessment Procedures
SA-1.1 - CCI-003089
The organization defines the personnel or roles to whom the system and services acquisition policy is disseminated.
SA-1.2 - CCI-003090
The organization defines the personnel or roles to whom procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are disseminated.
SA-1.4 - CCI-000602
The organization develops and documents a system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
SA-1.3 - CCI-000603
The organization disseminates to organization-defined personnel or roles a system and services acquisition policy.
SA-1.5 - CCI-000605
The organization develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.
SA-1.6 - CCI-000606
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.
SA-1.7 - CCI-000601
The organization defines the frequency to review and update the current system and services acquisition policy.
SA-1.8 - CCI-000604
The organization reviews and updates the current system and services acquisition policy in accordance with organization-defined frequency.
SA-1.10 - CCI-001646
The organization defines the frequency to review and update the current system and services acquisition procedures.
SA-1.9 - CCI-000607
The organization reviews and updates the current system and services acquisition procedures in accordance with organization-defined frequency.
Related Controls
  1. PM-9 - Risk Management Strategy
  2. PS-8 - Personnel Sanctions
  3. SA-8 - Security And Privacy Engineering Principles
  4. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  3. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  4. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
  5. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  6. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
Enhancements
ALLOCATION OF RESOURCES
RMF Control
SA-2
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle.
Instructions
SA-2a.
Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;
SA-2b.
Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and
SA-2c.
Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.
Assessment Procedures
SA-2.1 - CCI-003091
The organization determines information security requirements for the information system or information system service in mission/business process planning.
SA-2.2 - CCI-000610
The organization determines the resources required to protect the information system or information system service as part of its capital planning and investment control process.
SA-2.3 - CCI-000611
The organization documents the resources required to protect the information system or information system service as part of its capital planning and investment control process.
SA-2.4 - CCI-000612
The organization allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process.
SA-2.5 - CCI-000613
The organization establishes a discrete line item for information security in organizational programming documentation.
SA-2.6 - CCI-000614
The organization establishes a discrete line item for information security in organizational budgeting documentation.
Related Controls
  1. PL-7 - Concept Of Operations
  2. PM-3 - Information Security And Privacy Resources
  3. PM-11 - Mission And Business Process Definition
  4. SA-9 - External System Services
  5. SR-3 - Supply Chain Controls And Processes
  6. SR-5 - Acquisition Strategies, Tools, And Methods
References
  1. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  3. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
Enhancements
SYSTEM DEVELOPMENT LIFE CYCLE
RMF Control
SA-3
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle.
Instructions
SA-3a.
Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations;
SA-3b.
Define and document information security and privacy roles and responsibilities throughout the system development life cycle;
SA-3c.
Identify individuals having information security and privacy roles and responsibilities; and
SA-3d.
Integrate the organizational information security and privacy risk management process into system development life cycle activities.
Assessment Procedures
SA-3.2 - CCI-003092
The organization defines a system development life cycle that is used to manage the information system.
SA-3.1 - CCI-000615
The organization manages the information system using organization-defined system development life cycle that incorporates information security considerations.
SA-3.3 - CCI-000616
The organization defines and documents information system security roles and responsibilities throughout the system development life cycle.
SA-3.4 - CCI-000618
The organization identifies individuals having information system security roles and responsibilities.
SA-3.5 - CCI-003093
The organization integrates the organizational information security risk management process into system development life cycle activities.
Related Controls
  1. AT-3 - Role-Based Training
  2. PL-8 - Security And Privacy Architectures
  3. PM-7 - Enterprise Architecture
  4. SA-4 - Acquisition Process
  5. SA-5 - System Documentation
  6. SA-8 - Security And Privacy Engineering Principles
  7. SA-11 - Developer Testing And Evaluation
  8. SA-15 - Development Process, Standards, And Tools
  9. SA-17 - Developer Security And Privacy Architecture And Design
  10. SA-22 - Unsupported System Components
  11. SR-3 - Supply Chain Controls And Processes
  12. SR-4 - Provenance
  13. SR-5 - Acquisition Strategies, Tools, And Methods
  14. SR-9 - Tamper Resistance And Detection
References
  1. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  2. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  3. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  4. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
  5. Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2., "SP 800-171" https://doi.org/10.6028/NIST.SP.800-171r2
  6. Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172., "SP 800-172" https://doi.org/10.6028/NIST.SP.800-172-draft
Enhancements
SA-3(1) - Manage Preproduction Environment
Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service.
SA-3(2) - Use Of Live Or Operational Data
SA-3(3) - Technology Refresh
Plan for and implement a technology refresh schedule for the system throughout the system development life cycle.
ACQUISITION PROCESS
RMF Control
SA-4
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. SP 800-160-1 describes the process of requirements engineering as part of the system development life cycle. Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle. Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement.
Instructions
Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service:
SA-4a.
Security and privacy functional requirements;
SA-4b.
Strength of mechanism requirements;
SA-4c.
Security and privacy assurance requirements;
SA-4d.
Controls needed to satisfy the security and privacy requirements.
SA-4e.
Security and privacy documentation requirements;
SA-4f.
Requirements for protecting security and privacy documentation;
SA-4g.
Description of the system development environment and environment in which the system is intended to operate;
SA-4h.
Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and
SA-4i.
Acceptance criteria.
Assessment Procedures
SA-4.1 - CCI-003094
The organization includes the security functional requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.
SA-4.2 - CCI-003095
The organization includes the security strength requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.
SA-4.3 - CCI-003096
The organization includes the security assurance requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.
SA-4.4 - CCI-003097
The organization includes the security-related documentation requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.
SA-4.5 - CCI-003098
The organization includes requirements for protecting security-related documentation, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.
SA-4.6 - CCI-003099
The organization includes description of the information system development environment and environment in which the system is intended to operate, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.
SA-4.7 - CCI-003100
The organization includes acceptance criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.
Related Controls
  1. CM-6 - Configuration Settings
  2. CM-8 - System Component Inventory
  3. PS-7 - External Personnel Security
  4. SA-3 - System Development Life Cycle
  5. SA-5 - System Documentation
  6. SA-8 - Security And Privacy Engineering Principles
  7. SA-11 - Developer Testing And Evaluation
  8. SA-15 - Development Process, Standards, And Tools
  9. SA-16 - Developer-Provided Training
  10. SA-17 - Developer Security And Privacy Architecture And Design
  11. SA-21 - Developer Screening
  12. SR-3 - Supply Chain Controls And Processes
  13. SR-5 - Acquisition Strategies, Tools, And Methods
References
  1. Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622., "IR 7622" https://doi.org/10.6028/NIST.IR.7622
  2. Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161., "SP 800-161" https://doi.org/10.6028/NIST.SP.800-161
  3. Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062., "IR 8062" https://doi.org/10.6028/NIST.IR.8062
  4. Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676., "IR 7676" https://doi.org/10.6028/NIST.IR.7676
  5. Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870., "IR 7870" https://doi.org/10.6028/NIST.IR.7870
  6. Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016., "SP 800-73-4" https://doi.org/10.6028/NIST.SP.800-73-4
  7. Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539., "IR 7539" https://doi.org/10.6028/NIST.IR.7539
  8. Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137., "SP 800-137" https://doi.org/10.6028/NIST.SP.800-137
  9. Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35., "SP 800-35" https://doi.org/10.6028/NIST.SP.800-35
  10. International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, , April 2017., "ISO 15408-1" https://www.commoncriteriaportal.org/files/ccfiles
  11. International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, , April 2017., "ISO 15408-2" https://www.commoncriteriaportal.org/files/ccfiles
  12. International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, , April 2017., "ISO 15408-3" https://www.commoncriteriaportal.org/files/ccfiles
  13. International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, , November 2018., "ISO 29148" https://www.iso.org/standard/72089.html
  14. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  15. National Information Assurance Partnership, ., "NIAP CCEVS" https://www.niap-ccevs.org
  16. National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2., "FIPS 201-2" https://doi.org/10.6028/NIST.FIPS.201-2
  17. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
  18. National Security Agency, ., "NSA CSFC" https://www.nsa.gov/resources/everyone/csfc
  19. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  20. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
  21. Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4., "SP 800-70" https://doi.org/10.6028/NIST.SP.800-70r4
  22. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
Enhancements
SA-4(1) - Functional Properties Of Controls
Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.
SA-4(2) - Design And Implementation Information For Controls
Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design and implementation information]] at [Assignment: organization-defined level of detail].
SA-4(3) - Development Methods, Techniques, And Practices
Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes:
SA-4(4) - Assignment Of Components To Systems
[Withdrawn: Incorporated into CM-8(9)].
SA-4(5) - System, Component, And Service Configurations
Require the developer of the system, system component, or system service to:
SA-4(6) - Use Of Information Assurance Products
SA-4(7) - Niap-Approved Protection Profiles
SA-4(8) - Continuous Monitoring Plan For Controls
Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization.
SA-4(9) - Functions, Ports, Protocols, And Services In Use
Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.
SA-4(10) - Use Of Approved Piv Products
Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.
SA-4(11) - System Of Records
Include [Assignment: organization-defined Privacy Act requirements] in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.
SA-4(12) - Data Ownership
SYSTEM DOCUMENTATION
RMF Control
SA-5
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
LOW, MODERATE, HIGH
Description
System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.
Instructions
SA-5a.
Obtain or develop administrator documentation for the system, system component, or system service that describes:
SA-5b.
Obtain or develop user documentation for the system, system component, or system service that describes:
SA-5c.
Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take [Assignment: organization-defined actions] in response; and
SA-5d.
Distribute documentation to [Assignment: organization-defined personnel or roles].
Assessment Procedures
SA-5.1 - CCI-003124
The organization obtains administrator documentation for the information system, system component, or information system services that describes secure configuration of the system, component, or service.
SA-5.2 - CCI-003125
The organization obtains administrator documentation for the information system, system component, or information system services that describes secure installation of the system, component, or service.
SA-5.3 - CCI-003126
The organization obtains administrator documentation for the information system, system component, or information system services that describes secure operation of the system, component, or service.
SA-5.4 - CCI-003127
The organization obtains administrator documentation for the information system, system component, or information system services that describes effective use and maintenance of security functions/mechanisms.
SA-5.5 - CCI-003128
The organization obtains administrator documentation for the information system, system component, or information system services that describes known vulnerabilities regarding configuration and use of administrative (i.e. privileged) functions.
SA-5.6 - CCI-003129
The organization obtains user documentation for the information system, system component, or information system service that describes user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms.
SA-5.7 - CCI-003130
The organization obtains user documentation for the information system, system component or information system service that describes methods for user interaction which enables individuals to use the system, component, or service in a more secure manner.
SA-5.8 - CCI-003131
The organization obtains user documentation for the information system, system component or information system service that describes user responsibilities in maintaining the security of the system, component, or service.
SA-5.11 - CCI-000642
The organization documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent.
SA-5.9 - CCI-003132
The organization takes organization-defined actions in response to attempts to obtain either unavailable or nonexistent documentation for information system, system component, or information system service.
SA-5.10 - CCI-003133
The organization defines actions to be taken in response to attempts to obtain either unavailable or nonexistent documentation for information system, system component, or information system service.
SA-5.12 - CCI-003134
The organization protects information system, system component, or information system service documentation as required, in accordance with the risk management strategy.
SA-5.13 - CCI-003135
The organization distributes information system, system component, or information system service documentation to organization-defined personnel or roles.
SA-5.14 - CCI-003136
The organization defines the personnel or roles the information system, system component, or information system service documentation is to be distributed.
Related Controls
  1. CM-4 - Impact Analyses
  2. CM-6 - Configuration Settings
  3. CM-7 - Least Functionality
  4. CM-8 - System Component Inventory
  5. PL-2 - System Security And Privacy Plans
  6. PL-4 - Rules Of Behavior
  7. PL-8 - Security And Privacy Architectures
  8. PS-2 - Position Risk Designation
  9. SA-3 - System Development Life Cycle
  10. SA-4 - Acquisition Process
  11. SA-8 - Security And Privacy Engineering Principles
  12. SA-9 - External System Services
  13. SA-10 - Developer Configuration Management
  14. SA-11 - Developer Testing And Evaluation
  15. SA-15 - Development Process, Standards, And Tools
  16. SA-16 - Developer-Provided Training
  17. SA-17 - Developer Security And Privacy Architecture And Design
  18. SI-12 - Information Management And Retention
  19. SR-3 - Supply Chain Controls And Processes
References
  1. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
Enhancements
SA-5(1) - Functional Properties Of Security Controls
[Withdrawn: Incorporated into SA-4(1)].
SA-5(2) - Security-Relevant External System Interfaces
[Withdrawn: Incorporated into SA-4(2)].
SA-5(3) - High-Level Design
[Withdrawn: Incorporated into SA-4(2)].
SA-5(4) - Low-Level Design
[Withdrawn: Incorporated into SA-4(2)].
SA-5(5) - Source Code
[Withdrawn: Incorporated into SA-4(2)].
SOFTWARE USAGE RESTRICTIONS
RMF Control
SA-6
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into CM-10, SI-7].
Assessment Procedures
Related Controls
References
Enhancements
USER-INSTALLED SOFTWARE
RMF Control
SA-7
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into CM-11, SI-7].
Assessment Procedures
Related Controls
References
Enhancements
SECURITY AND PRIVACY ENGINEERING PRINCIPLES
RMF Control
SA-8
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
LOW, MODERATE, HIGH
Description
Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design.
Instructions
Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [Assignment: organization-defined systems security and privacy engineering principles].
Assessment Procedures
SA-8.1 - CCI-000664
The organization applies information system security engineering principles in the specification of the information system.
SA-8.2 - CCI-000665
The organization applies information system security engineering principles in the design of the information system.
SA-8.3 - CCI-000666
The organization applies information system security engineering principles in the development of the information system.
SA-8.4 - CCI-000667
The organization applies information system security engineering principles in the implementation of the information system.
SA-8.5 - CCI-000668
The organization applies information system security engineering principles in the modification of the information system.
Related Controls
  1. PL-8 - Security And Privacy Architectures
  2. PM-7 - Enterprise Architecture
  3. RA-2 - Security Categorization
  4. RA-3 - Risk Assessment
  5. RA-9 - Criticality Analysis
  6. SA-3 - System Development Life Cycle
  7. SA-4 - Acquisition Process
  8. SA-15 - Development Process, Standards, And Tools
  9. SA-17 - Developer Security And Privacy Architecture And Design
  10. SA-20 - Customized Development Of Critical Components
  11. SC-2 - Separation Of System And User Functionality
  12. SC-3 - Security Function Isolation
  13. SC-32 - System Partitioning
  14. SC-39 - Process Isolation
  15. SR-2 - Supply Chain Risk Management Plan
  16. SR-3 - Supply Chain Controls And Processes
  17. SR-4 - Provenance
  18. SR-5 - Acquisition Strategies, Tools, And Methods
References
  1. Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062., "IR 8062" https://doi.org/10.6028/NIST.IR.8062
  2. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  3. Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014., "SP 800-53A" https://doi.org/10.6028/NIST.SP.800-53Ar4
  4. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  5. National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200., "FIPS 200" https://doi.org/10.6028/NIST.FIPS.200
  6. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  7. Privacy Act (P.L. 93-579), December 1974., "PRIVACT" https://www.govinfo.gov/content/pkg/STATUTE-88/pdf
  8. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
  9. Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1., "SP 800-60-1" https://doi.org/10.6028/NIST.SP.800-60v1r1
  10. Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1., "SP 800-60-2" https://doi.org/10.6028/NIST.SP.800-60v2r1
Enhancements
SA-8(1) - Clear Abstractions
Implement the security design principle of clear abstractions.
SA-8(2) - Least Common Mechanism
Implement the security design principle of least common mechanism in [Assignment: organization-defined systems or system components].
SA-8(3) - Modularity And Layering
Implement the security design principles of modularity and layering in [Assignment: organization-defined systems or system components].
SA-8(4) - Partially Ordered Dependencies
Implement the security design principle of partially ordered dependencies in [Assignment: organization-defined systems or system components].
SA-8(5) - Efficiently Mediated Access
Implement the security design principle of efficiently mediated access in [Assignment: organization-defined systems or system components].
SA-8(6) - Minimized Sharing
Implement the security design principle of minimized sharing in [Assignment: organization-defined systems or system components].
SA-8(7) - Reduced Complexity
Implement the security design principle of reduced complexity in [Assignment: organization-defined systems or system components].
SA-8(8) - Secure Evolvability
Implement the security design principle of secure evolvability in [Assignment: organization-defined systems or system components].
SA-8(9) - Trusted Components
Implement the security design principle of trusted components in [Assignment: organization-defined systems or system components].
SA-8(10) - Hierarchical Trust
Implement the security design principle of hierarchical trust in [Assignment: organization-defined systems or system components].
SA-8(11) - Inverse Modification Threshold
Implement the security design principle of inverse modification threshold in [Assignment: organization-defined systems or system components].
SA-8(12) - Hierarchical Protection
Implement the security design principle of hierarchical protection in [Assignment: organization-defined systems or system components].
SA-8(13) - Minimized Security Elements
Implement the security design principle of minimized security elements in [Assignment: organization-defined systems or system components].
SA-8(14) - Least Privilege
Implement the security design principle of least privilege in [Assignment: organization-defined systems or system components].
SA-8(15) - Predicate Permission
Implement the security design principle of predicate permission in [Assignment: organization-defined systems or system components].
SA-8(16) - Self-Reliant Trustworthiness
Implement the security design principle of self-reliant trustworthiness in [Assignment: organization-defined systems or system components].
SA-8(17) - Secure Distributed Composition
Implement the security design principle of secure distributed composition in [Assignment: organization-defined systems or system components].
SA-8(18) - Trusted Communications Channels
Implement the security design principle of trusted communications channels in [Assignment: organization-defined systems or system components].
SA-8(19) - Continuous Protection
Implement the security design principle of continuous protection in [Assignment: organization-defined systems or system components].
SA-8(20) - Secure Metadata Management
Implement the security design principle of secure metadata management in [Assignment: organization-defined systems or system components].
SA-8(21) - Self-Analysis
Implement the security design principle of self-analysis in [Assignment: organization-defined systems or system components].
SA-8(22) - Accountability And Traceability
Implement the security design principle of accountability and traceability in [Assignment: organization-defined systems or system components].
SA-8(23) - Secure Defaults
Implement the security design principle of secure defaults in [Assignment: organization-defined systems or system components].
SA-8(24) - Secure Failure And Recovery
Implement the security design principle of secure failure and recovery in [Assignment: organization-defined systems or system components].
SA-8(25) - Economic Security
Implement the security design principle of economic security in [Assignment: organization-defined systems or system components].
SA-8(26) - Performance Security
Implement the security design principle of performance security in [Assignment: organization-defined systems or system components].
SA-8(27) - Human Factored Security
Implement the security design principle of human factored security in [Assignment: organization-defined systems or system components].
SA-8(28) - Acceptable Security
Implement the security design principle of acceptable security in [Assignment: organization-defined systems or system components].
SA-8(29) - Repeatable And Documented Procedures
Implement the security design principle of repeatable and documented procedures in [Assignment: organization-defined systems or system components].
SA-8(30) - Procedural Rigor
Implement the security design principle of procedural rigor in [Assignment: organization-defined systems or system components].
SA-8(31) - Secure System Modification
Implement the security design principle of secure system modification in [Assignment: organization-defined systems or system components].
SA-8(32) - Sufficient Documentation
Implement the security design principle of sufficient documentation in [Assignment: organization-defined systems or system components].
SA-8(33) - Minimization
Implement the privacy principle of minimization using [Assignment: organization-defined processes].
EXTERNAL SYSTEM SERVICES
RMF Control
SA-9
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.
Instructions
SA-9a.
Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls];
SA-9b.
Define and document organizational oversight and user roles and responsibilities with regard to external system services; and
SA-9c.
Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [Assignment: organization-defined processes, methods, and techniques].
Assessment Procedures
SA-9.3 - CCI-003137
The organization defines security controls that providers of external information system services employ in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SA-9.1 - CCI-000669
The organization requires that providers of external information system services comply with organizational information security requirements.
SA-9.2 - CCI-000670
The organization requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SA-9.4 - CCI-000671
The organization defines government oversight with regard to external information system services.
SA-9.5 - CCI-000672
The organization documents government oversight with regard to external information system services.
SA-9.6 - CCI-000673
The organization defines user roles and responsibilities with regard to external information system services.
SA-9.7 - CCI-000674
The organization documents user roles and responsibilities with regard to external information system services.
SA-9.8 - CCI-003138
The organization employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis.
SA-9.9 - CCI-003139
The organization defines processes, methods, and techniques to employ to monitor security control compliance by external service providers on an ongoing basis.
Related Controls
  1. AC-20 - Use Of External Systems
  2. CA-3 - Information Exchange
  3. CP-2 - Contingency Plan
  4. IR-4 - Incident Handling
  5. IR-7 - Incident Response Assistance
  6. PL-10 - Baseline Selection
  7. PL-11 - Baseline Tailoring
  8. PS-7 - External Personnel Security
  9. SA-2 - Allocation Of Resources
  10. SA-4 - Acquisition Process
  11. SR-3 - Supply Chain Controls And Processes
  12. SR-5 - Acquisition Strategies, Tools, And Methods
References
  1. Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161., "SP 800-161" https://doi.org/10.6028/NIST.SP.800-161
  2. Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35., "SP 800-35" https://doi.org/10.6028/NIST.SP.800-35
  3. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  4. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
  5. Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2., "SP 800-171" https://doi.org/10.6028/NIST.SP.800-171r2
Enhancements
SA-9(1) - Risk Assessments And Organizational Approvals
SA-9(2) - Identification Of Functions, Ports, Protocols, And Services
Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services].
SA-9(3) - Establish And Maintain Trust Relationship With Providers
Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: [Assignment: organization-defined security and privacy requirements, properties, factors, or conditions defining acceptable trust relationships].
SA-9(4) - Consistent Interests Of Consumers And Providers
Take the following actions to verify that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests: [Assignment: organization-defined actions].
SA-9(5) - Processing, Storage, And Service Location
Restrict the location of [Selection (one or more): information processing; information or data; system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions].
SA-9(6) - Organization-Controlled Cryptographic Keys
Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.
SA-9(7) - Organization-Controlled Integrity Checking
Provide the capability to check the integrity of information while it resides in the external system.
SA-9(8) - Processing And Storage Location — U.s. Jurisdiction
Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States.
DEVELOPER CONFIGURATION MANAGEMENT
RMF Control
SA-10
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
MODERATE, HIGH
Description
Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. The configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle.
Instructions
Require the developer of the system, system component, or system service to:
SA-10a.
Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation; disposal];
SA-10b.
Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
SA-10c.
Implement only organization-approved changes to the system, component, or service;
SA-10d.
Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and
SA-10e.
Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
Assessment Procedures
SA-10.1 - CCI-003155
The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component or service design, development, implementation and/or operation.
SA-10.2 - CCI-003156
The organization requires the developer of the information system, system component, or information system service to document the integrity of changes to organization-defined configuration items under configuration management.
SA-10.3 - CCI-003157
The organization requires the developer of the information system, system component, or information system service to manage the integrity of changes to organization-defined configuration items under configuration management.
SA-10.4 - CCI-003158
The organization requires the developer of the information system, system component, or information system service to control the integrity of changes to organization-defined configuration items under configuration management.
SA-10.5 - CCI-003159
The organization defines the configuration items under configuration management that require the integrity of changes to be documented, managed and controlled.
SA-10.6 - CCI-000692
The organization requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service.
SA-10.7 - CCI-000694
The organization requires the developer of the information system, system component, or information system service to document approved changes to the system, component, or service.
SA-10.8 - CCI-003160
The organization requires the developer of the information system, system component, or information system service to document the potential security impacts of approved changes to the system, component, or service.
SA-10.9 - CCI-003161
The organization requires the developer of the information system, system component, or information system service to track security flaws within the system, component, or service.
SA-10.10 - CCI-003162
The organization requires the developer of the information system, system component, or information system service to track flaw resolution within the system, component, or service.
SA-10.11 - CCI-003163
The organization requires the developer of the information system, system component, or information system service to report security flaws and flaw resolution within the system, component, or service findings to organization-defined personnel.
SA-10.12 - CCI-003164
The organization defines the personnel to whom security flaw findings and flaw resolution within the system, component, or service are reported.
Related Controls
  1. CM-2 - Baseline Configuration
  2. CM-3 - Configuration Change Control
  3. CM-4 - Impact Analyses
  4. CM-7 - Least Functionality
  5. CM-9 - Configuration Management Plan
  6. SA-4 - Acquisition Process
  7. SA-5 - System Documentation
  8. SA-8 - Security And Privacy Engineering Principles
  9. SA-15 - Development Process, Standards, And Tools
  10. SI-2 - Flaw Remediation
  11. SR-3 - Supply Chain Controls And Processes
  12. SR-4 - Provenance
  13. SR-5 - Acquisition Strategies, Tools, And Methods
  14. SR-6 - Supplier Assessments And Reviews
References
  1. Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019., "SP 800-128" https://doi.org/10.6028/NIST.SP.800-128
  2. National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4., "FIPS 180-4" https://doi.org/10.6028/NIST.FIPS.180-4
  3. National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202., "FIPS 202" https://doi.org/10.6028/NIST.FIPS.202
  4. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
  5. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
Enhancements
SA-10(1) - Software And Firmware Integrity Verification
Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.
SA-10(2) - Alternative Configuration Management Processes
Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.
SA-10(3) - Hardware Integrity Verification
Require the developer of the system, system component, or system service to enable integrity verification of hardware components.
SA-10(4) - Trusted Generation
Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions, source code, and object code with previous versions.
SA-10(5) - Mapping Integrity For Version Control
Require the developer of the system, system component, or system service to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.
SA-10(6) - Trusted Distribution
Require the developer of the system, system component, or system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.
SA-10(7) - Security And Privacy Representatives
Require [Assignment: organization-defined security and privacy representatives] to be included in the [Assignment: organization-defined configuration change management and control process].
DEVELOPER TESTING AND EVALUATION
RMF Control
SA-11
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
MODERATE, HIGH, PRIVACY
Description
Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches. Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation.
Instructions
Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:
SA-11a.
Develop and implement a plan for ongoing security and privacy control assessments;
SA-11b.
Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage];
SA-11c.
Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;
SA-11d.
Implement a verifiable flaw remediation process; and
SA-11e.
Correct flaws identified during testing and evaluation.
Assessment Procedures
SA-11.1 - CCI-003171
The organization requires the developer of the information system, system component, or information system service to create a security assessment plan.
SA-11.2 - CCI-003172
The organization requires the developer of the information system, system component, or information system service to implement a security assessment plan.
SA-11.3 - CCI-003173
The organization requires the developer of the information system, system component, or information system service to perform unit, integration, system, and/or regression testing/evaluation at organization-defined depth and coverage.
SA-11.4 - CCI-003174
The organization defines the depth and coverage to perform unit, integration, system, and/or regression testing/evaluation.
SA-11.5 - CCI-003175
The organization requires the developer of the information system, system component, or information system service to produce evidence of the execution of the security assessment plan.
SA-11.6 - CCI-003176
The organization requires the developer of the information system, system component, or information system service to produce the results of the security testing/evaluation.
SA-11.7 - CCI-003177
The organization requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process.
SA-11.8 - CCI-003178
The organization requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation.
Related Controls
  1. CA-2 - Control Assessments
  2. CA-7 - Continuous Monitoring
  3. CM-4 - Impact Analyses
  4. SA-3 - System Development Life Cycle
  5. SA-4 - Acquisition Process
  6. SA-5 - System Documentation
  7. SA-8 - Security And Privacy Engineering Principles
  8. SA-15 - Development Process, Standards, And Tools
  9. SA-17 - Developer Security And Privacy Architecture And Design
  10. SI-2 - Flaw Remediation
  11. SR-5 - Acquisition Strategies, Tools, And Methods
  12. SR-6 - Supplier Assessments And Reviews
  13. SR-7 - Supply Chain Operations Security
References
  1. International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, , April 2017., "ISO 15408-3" https://www.commoncriteriaportal.org/files/ccfiles
  2. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  3. Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014., "SP 800-53A" https://doi.org/10.6028/NIST.SP.800-53Ar4
  4. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
  5. Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154., "SP 800-154" https://csrc.nist.gov/publications/detail/sp/800-1
Enhancements
SA-11(1) - Static Code Analysis
Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.
SA-11(2) - Threat Modeling And Vulnerability Analyses
Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:
SA-11(3) - Independent Verification Of Assessment Plans And Evidence
SA-11(4) - Manual Code Reviews
Require the developer of the system, system component, or system service to perform a manual code review of [Assignment: organization-defined specific code] using the following processes, procedures, and/or techniques: [Assignment: organization-defined processes, procedures, and/or techniques].
SA-11(5) - Penetration Testing
Require the developer of the system, system component, or system service to perform penetration testing:
SA-11(6) - Attack Surface Reviews
Require the developer of the system, system component, or system service to perform attack surface reviews.
SA-11(7) - Verify Scope Of Testing And Evaluation
Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: [Assignment: organization-defined breadth and depth of testing and evaluation].
SA-11(8) - Dynamic Code Analysis
Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.
SA-11(9) - Interactive Application Security Testing
Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results.
SUPPLY CHAIN PROTECTION
RMF Control
SA-12
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
Description
Instructions
[Withdrawn: Moved to SR Family].
Assessment Procedures
SA-12.1 - CCI-000722
The organization defines the security safeguards to employ to protect against supply chain threats to the information system, system component, or information system service.
SA-12.2 - CCI-000723
The organization protects against supply chain threats to the information system, system component, or information system service by employing organization-defined security safeguards as part of a comprehensive, defense-in-breadth information security strategy.
Related Controls
References
Enhancements
SA-12(1) - Acquisition Strategies / Tools / Methods
[Withdrawn: Moved to SR-5].
SA-12(2) - Supplier Reviews
[Withdrawn: Moved to SR-6].
SA-12(3) - Trusted Shipping And Warehousing
[Withdrawn: Incorporated into SR-3].
SA-12(4) - Diversity Of Suppliers
[Withdrawn: Moved to SR-3(1)].
SA-12(5) - Limitation Of Harm
[Withdrawn: Moved to SR-3(2)].
SA-12(6) - Minimizing Procurement Time
[Withdrawn: Incorporated into SR-5(1)].
SA-12(7) - Assessments Prior To Selection / Acceptance / Update
[Withdrawn: Moved to SR-5(2)].
SA-12(8) - Use Of All-Source Intelligence
[Withdrawn: Incorporated into RA-3(2)].
SA-12(9) - Operations Security
[Withdrawn: Moved to SR-7].
SA-12(10) - Validate As Genuine And Not Altered
[Withdrawn: Moved to SR-4(3)].
SA-12(11) - Penetration Testing / Analysis Of Elements, Processes, And Actors
[Withdrawn: Moved to SR-6(1)].
SA-12(12) - Inter-Organizational Agreements
[Withdrawn: Moved to SR-8].
SA-12(13) - Critical Information System Components
[Withdrawn: Incorporated into MA-6, RA-9].
SA-12(14) - Identity And Traceability
[Withdrawn: Incorporated into SR-4(1), SR-4(2)].
SA-12(15) - Processes To Address Weaknesses Or Deficiencies
[Withdrawn: Incorporated into SR-3].
TRUSTWORTHINESS
RMF Control
SA-13
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into SA-8].
Assessment Procedures
SA-13.1 - CCI-003225
The organization describes the trustworthiness required in the organization-defined information system, information system component, or information system service supporting its critical missions/business functions.
SA-13.2 - CCI-003226
The organization defines the information system, information system component, or information system service supporting its critical missions/business functions in which the trustworthiness must be described.
SA-13.3 - CCI-003227
The organization implements an organization-defined assurance overlay to achieve trustworthiness required to support its critical missions/business functions.
SA-13.4 - CCI-003228
The organization defines an assurance overlay to be implemented to achieve trustworthiness required to support its critical missions/business functions.
Related Controls
References
Enhancements
CRITICALITY ANALYSIS
RMF Control
SA-14
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into RA-9].
Assessment Procedures
SA-14.1 - CCI-003229
The organization identifies critical information system components by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decision points in the system development life cycle.
SA-14.2 - CCI-003230
The organization identifies critical information system functions by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decision points in the system development life cycle.
SA-14.3 - CCI-003231
The organization defines the information systems, information system components, or information system services for which the organization identifies critical information system components and functions for criticality analysis.
SA-14.4 - CCI-003232
The organization defines the decision points in the system development life cycle at which to perform a criticality analysis to identify critical information system components and functions for organization-defined information systems, information system components , or information system services.
Related Controls
References
Enhancements
SA-14(1) - Critical Components With No Viable Alternative Sourcing
[Withdrawn: Incorporated into SA-20].
DEVELOPMENT PROCESS, STANDARDS, AND TOOLS
RMF Control
SA-15
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
MODERATE, HIGH
Description
Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.
Instructions
SA-15a.
Require the developer of the system, system component, or system service to follow a documented development process that:
SA-15b.
Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements].
Assessment Procedures
SA-15.1 - CCI-003233
The organization requires the developer of the information system, system component, or information system service to follow a documented development process.
SA-15.2 - CCI-003234
The documented information system, system component, or information system service development process explicitly addresses security requirements.
SA-15.3 - CCI-003235
The documented information system, system component, or information system service development process identifies the standards used in the development process.
SA-15.4 - CCI-003236
The documented information system, system component, or information system service development process identifies the tools used in the development process.
SA-15.5 - CCI-003237
The documented information system, system component, or information system service development process documents the specific tool options and tool configurations used in the development process.
SA-15.6 - CCI-003238
The documented information system, system component, or information system service development process documents changes to the process and/or tools used in development.
SA-15.7 - CCI-003239
The documented information system, system component, or information system service development process manages changes to the process and/or tools used in development.
SA-15.8 - CCI-003240
The documented information system, system component, or information system service development process ensures the integrity of changes to the process and/or tools used in development.
SA-15.9 - CCI-003241
The organization reviews the development process in accordance with organization-defined frequency to determine if the development process selected and employed can satisfy organization-defined security requirements.
SA-15.10 - CCI-003242
The organization reviews the development standards in accordance with organization-defined frequency to determine if the development standards selected and employed can satisfy organization-defined security requirements.
SA-15.11 - CCI-003243
The organization reviews the development tools in accordance with organization-defined frequency to determine if the development tools selected and employed can satisfy organization-defined security requirements.
SA-15.12 - CCI-003244
The organization reviews the development tool options/configurations in accordance with organization-defined frequency to determine if the development tool options/configurations selected and employed can satisfy organization-defined security requirements.
SA-15.13 - CCI-003245
The organization defines the frequency on which to review the development process, standards, tools, and tool options/configurations to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy organization-defined security requirements.
SA-15.14 - CCI-003246
The organization defines the security requirements that must be satisfied by conducting a review of the development process, standards, tools, and tool options/configurations.
Related Controls
  1. MA-6 - Timely Maintenance
  2. SA-3 - System Development Life Cycle
  3. SA-4 - Acquisition Process
  4. SA-8 - Security And Privacy Engineering Principles
  5. SA-10 - Developer Configuration Management
  6. SA-11 - Developer Testing And Evaluation
  7. SR-3 - Supply Chain Controls And Processes
  8. SR-4 - Provenance
  9. SR-5 - Acquisition Strategies, Tools, And Methods
  10. SR-6 - Supplier Assessments And Reviews
  11. SR-9 - Tamper Resistance And Detection
References
  1. Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179., "IR 8179" https://doi.org/10.6028/NIST.IR.8179
  2. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
Enhancements
SA-15(1) - Quality Metrics
Require the developer of the system, system component, or system service to:
SA-15(2) - Security And Privacy Tracking Tools
Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process.
SA-15(3) - Criticality Analysis
Require the developer of the system, system component, or system service to perform a criticality analysis:
SA-15(4) - Threat Modeling And Vulnerability Analysis
[Withdrawn: Incorporated into SA-11(2)].
SA-15(5) - Attack Surface Reduction
Require the developer of the system, system component, or system service to reduce attack surfaces to [Assignment: organization-defined thresholds].
SA-15(6) - Continuous Improvement
Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process.
SA-15(7) - Automated Vulnerability Analysis
Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to:
SA-15(8) - Reuse Of Threat And Vulnerability Information
Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.
SA-15(9) - Use Of Live Data
[Withdrawn: Incorporated into SA-3(2)].
SA-15(10) - Incident Response Plan
Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan.
SA-15(11) - Archive System Or Component
Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review.
SA-15(12) - Minimize Personally Identifiable Information
Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.
DEVELOPER-PROVIDED TRAINING
RMF Control
SA-16
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
HIGH
Description
Developer-provided training applies to external and internal (in-house) developers. Training personnel is essential to ensuring the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms.
Instructions
Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: [Assignment: organization-defined training].
Assessment Procedures
SA-16.1 - CCI-003291
The organization requires the developer of the information system, system component, or information system service to provide organization-defined training on the correct use and operation of the implemented security functions, controls, and/or mechanisms.
SA-16.2 - CCI-003292
The organization defines the training the developer of the information system, system component, or information system service is required to provide on the correct use and operation of the implemented security functions, controls, and/or mechanisms.
Related Controls
  1. AT-2 - Literacy Training And Awareness
  2. AT-3 - Role-Based Training
  3. PE-3 - Physical Access Control
  4. SA-4 - Acquisition Process
  5. SA-5 - System Documentation
References
Enhancements
DEVELOPER SECURITY AND PRIVACY ARCHITECTURE AND DESIGN
RMF Control
SA-17
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
HIGH
Description
Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, PL-8 is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and PL-8 is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. ISO 15408-2, ISO 15408-3, and SP 800-160-1 provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing.
Instructions
Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that:
SA-17a.
Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture;
SA-17b.
Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and
SA-17c.
Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection.
Assessment Procedures
SA-17.1 - CCI-003293
The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture.
SA-17.2 - CCI-003294
The design specification and security architecture is consistent with and supportive of the organization's security architecture which is established within and is interrogated part of the organization's enterprise architecture.
SA-17.3 - CCI-003295
The design specification and security architecture accurately and completely describes the required security functionality
SA-17.4 - CCI-003296
The design specification and security architecture accurately and completely describes the allocation of security controls among physical and logical components.
SA-17.5 - CCI-003297
The design specification and security architecture expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.
Related Controls
  1. PL-2 - System Security And Privacy Plans
  2. PL-8 - Security And Privacy Architectures
  3. PM-7 - Enterprise Architecture
  4. SA-3 - System Development Life Cycle
  5. SA-4 - Acquisition Process
  6. SA-8 - Security And Privacy Engineering Principles
  7. SC-7 - Boundary Protection
References
  1. International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, , April 2017., "ISO 15408-2" https://www.commoncriteriaportal.org/files/ccfiles
  2. International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, , April 2017., "ISO 15408-3" https://www.commoncriteriaportal.org/files/ccfiles
  3. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
Enhancements
SA-17(1) - Formal Policy Model
Require the developer of the system, system component, or system service to:
SA-17(2) - Security-Relevant Components
Require the developer of the system, system component, or system service to:
SA-17(3) - Formal Correspondence
Require the developer of the system, system component, or system service to:
SA-17(4) - Informal Correspondence
Require the developer of the system, system component, or system service to:
SA-17(5) - Conceptually Simple Design
Require the developer of the system, system component, or system service to:
SA-17(6) - Structure For Testing
Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate testing.
SA-17(7) - Structure For Least Privilege
Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.
SA-17(8) - Orchestration
Design [Assignment: organization-defined critical systems or system components] with coordinated behavior to implement the following capabilities: [Assignment: organization-defined capabilities, by system or component].
SA-17(9) - Design Diversity
Use different designs for [Assignment: organization-defined critical systems or system components] to satisfy a common set of requirements or to provide equivalent functionality.
TAMPER RESISTANCE AND DETECTION
RMF Control
SA-18
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
Description
Instructions
[Withdrawn: Moved to SR-9].
Assessment Procedures
SA-18.1 - CCI-003346
The organization implements a tamper protection program for the information system, system component, or information system service.
Related Controls
References
Enhancements
SA-18(1) - Multiple Phases Of System Development Life Cycle
[Withdrawn: Moved to SR-9(1)].
SA-18(2) - Inspection Of Systems Or Components
[Withdrawn: Moved to SR-10].
COMPONENT AUTHENTICITY
RMF Control
SA-19
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
Description
Instructions
[Withdrawn: Moved to SR-11].
Assessment Procedures
SA-19.1 - CCI-003356
The organization develops anti-counterfeit policy that include the means to detect counterfeit components from entering the information system.
SA-19.2 - CCI-003357
The organization develops anti-counterfeit policy that include the means to prevent counterfeit components from entering the information system.
SA-19.3 - CCI-003358
The organization develops anti-counterfeit procedures that include the means to detect counterfeit components from entering the information system.
SA-19.4 - CCI-003359
The organization develops anti-counterfeit procedures that include the means to prevent counterfeit components from entering the information system.
SA-19.5 - CCI-003360
The organization implements anti-counterfeit policy that include the means to detect counterfeit components from entering the information system.
SA-19.6 - CCI-003361
The organization implements anti-counterfeit policy that include the means to prevent counterfeit components from entering the information system.
SA-19.7 - CCI-003362
The organization implements anti-counterfeit procedures that include the means to detect counterfeit components from entering the information system.
SA-19.8 - CCI-003363
The organization implements anti-counterfeit procedures that include the means to prevent counterfeit components from entering the information system.
SA-19.9 - CCI-003364
The organization reports counterfeit information system components to source of counterfeit component, organization-defined external reporting organizations and/or organization-defined personnel or roles.
SA-19.10 - CCI-003365
The organization defines the external reporting organizations to whom counterfeit information system components are to be reported.
SA-19.11 - CCI-003366
The organization defines the personnel or roles to whom counterfeit information system components are to be reported.
Related Controls
References
Enhancements
SA-19(1) - Anti-Counterfeit Training
[Withdrawn: Moved to SR-11(1)].
SA-19(2) - Configuration Control For Component Service And Repair
[Withdrawn: Moved to SR-11(2)].
SA-19(3) - Component Disposal
[Withdrawn: Moved to SR-12].
SA-19(4) - Anti-Counterfeit Scanning
[Withdrawn: Moved to SR-11(3)].
CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS
RMF Control
SA-20
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
NOT SELECTED
Description
Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components for which there are no viable security controls to adequately mitigate risk. Reimplementation or custom development of such components may satisfy requirements for higher assurance and is carried out by initiating changes to system components (including hardware, software, and firmware) such that the standard attacks by adversaries are less likely to succeed. In situations where no alternative sourcing is available and organizations choose not to reimplement or custom develop critical system components, additional controls can be employed. Controls include enhanced auditing, restrictions on source code and system utility access, and protection from deletion of system and application files.
Instructions
Reimplement or custom develop the following critical system components: [Assignment: organization-defined critical system components].
Assessment Procedures
SA-20.1 - CCI-003386
The organization defines the critical information system components to re-implement or custom develop.
SA-20.2 - CCI-003387
The organization re-implements or custom develops organization-defined critical information system components.
Related Controls
  1. CP-2 - Contingency Plan
  2. RA-9 - Criticality Analysis
  3. SA-8 - Security And Privacy Engineering Principles
References
  1. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
Enhancements
DEVELOPER SCREENING
RMF Control
SA-21
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
HIGH
Description
Developer screening is directed at external developers. Internal developer screening is addressed by PS-3. Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals who access the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships that the company has with entities that may potentially affect the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements.
Instructions
Require that the developer of [Assignment: organization-defined system, system component, or system service]:
SA-21a.
Has appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and
SA-21b.
Satisfies the following additional personnel screening criteria: [Assignment: organization-defined additional personnel screening criteria].
Assessment Procedures
SA-21.1 - CCI-003384
The organization defines the information system, system component, or information system service which require the information system developer to have appropriate access authorizations and satisfy additional personnel screening criteria.
SA-21.2 - CCI-003383
The organization defines the official government duties to be assigned to the developer of organization-defined information system, system component, or information system service.
SA-21.3 - CCI-003385
The organization requires that the developer of organization-defined information system, system component, or information system service have appropriate access authorizations as determined by assigned organization-defined official government duties.
SA-21.5 - CCI-003382
The organization requires that the developer of organization-defined information system, system component, or information system service satisfy organization-defined additional personnel screening criteria.
SA-21.4 - CCI-003381
The organization defines additional personnel screening criteria that must be satisfied by the developer of organization-defined information system, system component, or information system service.
Related Controls
  1. PS-2 - Position Risk Designation
  2. PS-3 - Personnel Screening
  3. PS-6 - Access Agreements
  4. PS-7 - External Personnel Security
  5. SA-4 - Acquisition Process
  6. SR-6 - Supplier Assessments And Reviews
References
Enhancements
SA-21(1) - Validation Of Screening
[Withdrawn: Incorporated into SA-21].
UNSUPPORTED SYSTEM COMPONENTS
RMF Control
SA-22
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
LOW, MODERATE, HIGH
Description
Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option. Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation.
Instructions
SA-22a.
Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or
SA-22b.
Provide the following options for alternative sources for continued support for unsupported components [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers]].
Assessment Procedures
SA-22.2 - CCI-003374
The organization documents approval for the continued use of unsupported system components required to satisfy mission/business needs.
SA-22.3 - CCI-003375
The organization provides justification for the continued use of unsupported system components required to satisfy mission/business needs.
SA-22.1 - CCI-003376
The organization replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer.
Related Controls
  1. PL-2 - System Security And Privacy Plans
  2. SA-3 - System Development Life Cycle
References
Enhancements
SA-22(1) - Alternative Sources For Continued Support
[Withdrawn: Incorporated into SA-22].
SPECIALIZATION
RMF Control
SA-23
Subject Area
SYSTEM AND SERVICES ACQUISITION
Baseline Areas
NOT SELECTED
Description
It is often necessary for a system or system component that supports mission-essential services or functions to be enhanced to maximize the trustworthiness of the resource. Sometimes this enhancement is done at the design level. In other instances, it is done post-design, either through modifications of the system in question or by augmenting the system with additional components. For example, supplemental authentication or non-repudiation functions may be added to the system to enhance the identity of critical resources to other resources that depend on the organization-defined resources.
Instructions
Employ [Selection (one or more): design; modification; augmentation; reconfiguration] on [Assignment: organization-defined systems or system components] supporting mission essential services or functions to increase the trustworthiness in those systems or components.
Assessment Procedures
Related Controls
  1. RA-9 - Criticality Analysis
  2. SA-8 - Security And Privacy Engineering Principles
References
  1. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
  2. Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2., "SP 800-160-2" https://doi.org/10.6028/NIST.SP.800-160v2
Enhancements
POLICY AND PROCEDURES
RMF Control
SC-1
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
SC-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
SC-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and
SC-1c.
Review and update the current system and communications protection:
Assessment Procedures
SC-1.2 - CCI-002380
The organization defines the personnel or roles to be recipients of the procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.
SC-1.1 - CCI-002378
The organization defines the personnel or roles to be recipients of the system and communications protection policy.
SC-1.3 - CCI-001074
The organization develops and documents a system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
SC-1.4 - CCI-001075
The organization disseminates to organization-defined personnel or roles the system and communications protection policy.
SC-1.5 - CCI-001078
The organization develops and documents system and communications protection procedures to facilitate the implementation of the system and communications protection policy and communications protection controls and associated system and communications protection controls.
SC-1.6 - CCI-001079
The organization disseminates to organization-defined personnel or roles the procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.
SC-1.8 - CCI-001077
The organization defines the frequency for reviewing and updating the system and communications protection policy.
SC-1.7 - CCI-001076
The organization reviews and updates the system and communications protection policy in accordance with organization-defined frequency.
SC-1.10 - CCI-001081
The organization defines the frequency of system and communications protection procedure reviews and updates.
SC-1.9 - CCI-001080
The organization reviews and updates the system and communications protection procedures in accordance with organization-defined frequency.
Related Controls
  1. PM-9 - Risk Management Strategy
  2. PS-8 - Personnel Sanctions
  3. SA-8 - Security And Privacy Engineering Principles
  4. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
  3. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
SEPARATION OF SYSTEM AND USER FUNCTIONALITY
RMF Control
SC-2
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
MODERATE, HIGH
Description
System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-8, including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18).
Instructions
Separate user functionality, including user interface services, from system management functionality.
Assessment Procedures
SC-2.1 - CCI-001082
The information system separates user functionality (including user interface services) from information system management functionality.
Related Controls
  1. AC-6 - Least Privilege
  2. SA-4 - Acquisition Process
  3. SA-8 - Security And Privacy Engineering Principles
  4. SC-3 - Security Function Isolation
  5. SC-7 - Boundary Protection
  6. SC-22 - Architecture And Provisioning For Name/Address Resolution Service
  7. SC-32 - System Partitioning
  8. SC-39 - Process Isolation
References
Enhancements
SC-2(1) - Interfaces For Non-Privileged Users
Prevent the presentation of system management functionality at interfaces to non-privileged users.
SC-2(2) - Disassociability
Store state information from applications and software separately.
SECURITY FUNCTION ISOLATION
RMF Control
SC-3
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
HIGH
Description
Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented within a system via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform system security functions. Systems implement code separation in many ways, such as through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code. Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities. While the ideal is for all code within the defined security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions as an exception. The isolation of security functions from nonsecurity functions can be achieved by applying the systems security engineering design principles in SA-8, including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18).
Instructions
Isolate security functions from nonsecurity functions.
Assessment Procedures
SC-3.1 - CCI-001084
The information system isolates security functions from nonsecurity functions.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-6 - Least Privilege
  3. AC-25 - Reference Monitor
  4. CM-2 - Baseline Configuration
  5. CM-4 - Impact Analyses
  6. SA-4 - Acquisition Process
  7. SA-5 - System Documentation
  8. SA-8 - Security And Privacy Engineering Principles
  9. SA-15 - Development Process, Standards, And Tools
  10. SA-17 - Developer Security And Privacy Architecture And Design
  11. SC-2 - Separation Of System And User Functionality
  12. SC-7 - Boundary Protection
  13. SC-32 - System Partitioning
  14. SC-39 - Process Isolation
  15. SI-16 - Memory Protection
References
Enhancements
SC-3(1) - Hardware Separation
Employ hardware separation mechanisms to implement security function isolation.
SC-3(2) - Access And Flow Control Functions
Isolate security functions enforcing access and information flow control from nonsecurity functions and from other security functions.
SC-3(3) - Minimize Nonsecurity Functionality
Minimize the number of nonsecurity functions included within the isolation boundary containing security functions.
SC-3(4) - Module Coupling And Cohesiveness
Implement security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.
SC-3(5) - Layered Structures
Implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
INFORMATION IN SHARED SYSTEM RESOURCES
RMF Control
SC-4
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
MODERATE, HIGH
Description
Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.
Instructions
Prevent unauthorized and unintended information transfer via shared system resources.
Assessment Procedures
SC-4.1 - CCI-001090
The information system prevents unauthorized and unintended information transfer via shared system resources.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-4 - Information Flow Enforcement
  3. SA-8 - Security And Privacy Engineering Principles
References
Enhancements
SC-4(1) - Security Levels
[Withdrawn: Incorporated into SC-4].
SC-4(2) - Multilevel Or Periods Processing
Prevent unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories.
DENIAL-OF-SERVICE PROTECTION
RMF Control
SC-5
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events.
Instructions
SC-5a.
[Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and
SC-5b.
Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].
Assessment Procedures
SC-5.1 - CCI-001093
The organization defines the types of denial of service attacks (or provides references to sources of current denial of service attacks) that can be addressed by the information system.
SC-5.3 - CCI-002386
The organization defines the security safeguards to be employed to protect the information system against, or limit the effects of, denial of service attacks.
SC-5.2 - CCI-002385
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.
Related Controls
  1. CP-2 - Contingency Plan
  2. IR-4 - Incident Handling
  3. SC-6 - Resource Availability
  4. SC-7 - Boundary Protection
  5. SC-40 - Wireless Link Protection
References
  1. Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189., "SP 800-189" https://doi.org/10.6028/NIST.SP.800-189
Enhancements
SC-5(1) - Restrict Ability To Attack Other Systems
Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks].
SC-5(2) - Capacity, Bandwidth, And Redundancy
Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks.
SC-5(3) - Detection And Monitoring
RESOURCE AVAILABILITY
RMF Control
SC-6
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Priority protection prevents lower-priority processes from delaying or interfering with the system that services higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources.
Instructions
Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more): priority; quota; [Assignment: organization-defined controls]].
Assessment Procedures
SC-6.1 - CCI-002392
The organization defines the resources to be allocated to protect the availability of information system resources.
SC-6.2 - CCI-002393
The organization defines the security safeguards to be employed to protect the availability of information system resources.
SC-6.3 - CCI-002394
The information system protects the availability of resources by allocating organization-defined resources based on priority, quota, and/or organization-defined security safeguards.
Related Controls
  1. SC-5 - Denial-Of-Service Protection
References
  1. Department of Homeland Security, ., "DHS TIC" https://www.dhs.gov/trusted-internet-connections
  2. Office of Management and Budget Memorandum M-08-05, , November 2007., "OMB M-08-05" https://obamawhitehouse.archives.gov/sites/default
Enhancements
BOUNDARY PROTECTION
RMF Control
SC-7
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. SP 800-189 provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).
Instructions
SC-7a.
Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;
SC-7b.
Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
SC-7c.
Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
Assessment Procedures
SC-7.1 - CCI-001097
The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
SC-7.2 - CCI-002395
The information system implements subnetworks for publicly accessible system components that are physically and/or logically separated from internal organizational networks.
SC-7.3 - CCI-001098
The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
Related Controls
  1. AC-4 - Information Flow Enforcement
  2. AC-17 - Remote Access
  3. AC-18 - Wireless Access
  4. AC-19 - Access Control For Mobile Devices
  5. AC-20 - Use Of External Systems
  6. AU-13 - Monitoring For Information Disclosure
  7. CA-3 - Information Exchange
  8. CM-2 - Baseline Configuration
  9. CM-4 - Impact Analyses
  10. CM-7 - Least Functionality
  11. CM-10 - Software Usage Restrictions
  12. CP-8 - Telecommunications Services
  13. CP-10 - System Recovery And Reconstitution
  14. IR-4 - Incident Handling
  15. MA-4 - Nonlocal Maintenance
  16. PE-3 - Physical Access Control
  17. PL-8 - Security And Privacy Architectures
  18. PM-12 - Insider Threat Program
  19. SA-8 - Security And Privacy Engineering Principles
  20. SA-17 - Developer Security And Privacy Architecture And Design
  21. SC-5 - Denial-Of-Service Protection
  22. SC-26 - Decoys
  23. SC-32 - System Partitioning
  24. SC-35 - External Malicious Code Identification
  25. SC-43 - Usage Restrictions
References
  1. Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1., "SP 800-77" https://doi.org/10.6028/NIST.SP.800-77r1
  2. Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2., "SP 800-37" https://doi.org/10.6028/NIST.SP.800-37r2
  3. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  4. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  5. Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1., "SP 800-41" https://doi.org/10.6028/NIST.SP.800-41r1
  6. Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189., "SP 800-189" https://doi.org/10.6028/NIST.SP.800-189
Enhancements
SC-7(1) - Physically Separated Subnetworks
[Withdrawn: Incorporated into SC-7].
SC-7(2) - Public Access
[Withdrawn: Incorporated into SC-7].
SC-7(3) - Access Points
Limit the number of external network connections to the system.
SC-7(4) - External Telecommunications Services
SC-7(5) - Deny By Default — Allow By Exception
Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]].
SC-7(6) - Response To Recognized Failures
[Withdrawn: Incorporated into SC-7(18)].
SC-7(7) - Split Tunneling For Remote Devices
Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards].
SC-7(8) - Route Traffic To Authenticated Proxy Servers
Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.
SC-7(9) - Restrict Threatening Outgoing Communications Traffic
SC-7(10) - Prevent Exfiltration
SC-7(11) - Restrict Incoming Communications Traffic
Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations].
SC-7(12) - Host-Based Protection
Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components].
SC-7(13) - Isolation Of Security Tools, Mechanisms, And Support Components
Isolate [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.
SC-7(14) - Protect Against Unauthorized Physical Connections
Protect against unauthorized physical connections at [Assignment: organization-defined managed interfaces].
SC-7(15) - Networked Privileged Accesses
Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.
SC-7(16) - Prevent Discovery Of System Components
Prevent the discovery of specific system components that represent a managed interface.
SC-7(17) - Automated Enforcement Of Protocol Formats
Enforce adherence to protocol formats.
SC-7(18) - Fail Secure
Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.
SC-7(19) - Block Communication From Non-Organizationally Configured Hosts
Block inbound and outbound communications traffic between [Assignment: organization-defined communication clients] that are independently configured by end users and external service providers.
SC-7(20) - Dynamic Isolation And Segregation
Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components.
SC-7(21) - Isolation Of System Components
Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions].
SC-7(22) - Separate Subnets For Connecting To Different Security Domains
Implement separate network addresses to connect to systems in different security domains.
SC-7(23) - Disable Sender Feedback On Protocol Validation Failure
Disable feedback to senders on protocol format validation failure.
SC-7(24) - Personally Identifiable Information
For systems that process personally identifiable information:
SC-7(25) - Unclassified National Security System Connections
Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].
SC-7(26) - Classified National Security System Connections
Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device].
SC-7(27) - Unclassified Non-National Security System Connections
Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].
SC-7(28) - Connections To Public Networks
Prohibit the direct connection of [Assignment: organization-defined system] to a public network.
SC-7(29) - Separate Subnets To Isolate Functions
Implement [Selection: physically; logically] separate subnetworks to isolate the following critical system components and functions: [Assignment: organization-defined critical system components and functions].
TRANSMISSION CONFIDENTIALITY AND INTEGRITY
RMF Control
SC-8
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
MODERATE, HIGH
Description
Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques. Organizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls.
Instructions
Protect the [Selection (one or more): confidentiality; integrity] of transmitted information.
Assessment Procedures
SC-8.1 - CCI-002418
The information system protects the confidentiality and/or integrity of transmitted information.
Related Controls
  1. AC-17 - Remote Access
  2. AC-18 - Wireless Access
  3. AU-10 - Non-Repudiation
  4. IA-3 - Device Identification And Authentication
  5. IA-8 - Identification And Authentication (Non-Organizational Users)
  6. IA-9 - Service Identification And Authentication
  7. MA-4 - Nonlocal Maintenance
  8. PE-4 - Access Control For Transmission
  9. SA-4 - Acquisition Process
  10. SA-8 - Security And Privacy Engineering Principles
  11. SC-7 - Boundary Protection
  12. SC-16 - Transmission Of Security And Privacy Attributes
  13. SC-20 - Secure Name/Address Resolution Service (Authoritative Source)
  14. SC-23 - Session Authenticity
  15. SC-28 - Protection Of Information At Rest
References
  1. Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1., "SP 800-77" https://doi.org/10.6028/NIST.SP.800-77r1
  2. Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2., "SP 800-81-2" https://doi.org/10.6028/NIST.SP.800-81-2
  3. Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023., "IR 8023" https://doi.org/10.6028/NIST.IR.8023
  4. Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113., "SP 800-113" https://doi.org/10.6028/NIST.SP.800-113
  5. McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2., "SP 800-52" https://doi.org/10.6028/NIST.SP.800-52r2
  6. National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197., "FIPS 197" https://doi.org/10.6028/NIST.FIPS.197
  7. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
  8. Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1., "SP 800-177" https://doi.org/10.6028/NIST.SP.800-177r1
Enhancements
SC-8(1) - Cryptographic Protection
Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.
SC-8(2) - Pre- And Post-Transmission Handling
Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.
SC-8(3) - Cryptographic Protection For Message Externals
Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical controls].
SC-8(4) - Conceal Or Randomize Communications
Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical controls].
SC-8(5) - Protected Distribution System
Implement [Assignment: organization-defined protected distribution system] to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.
TRANSMISSION CONFIDENTIALITY
RMF Control
SC-9
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into SC-8].
Assessment Procedures
Related Controls
References
Enhancements
NETWORK DISCONNECT
RMF Control
SC-10
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
MODERATE, HIGH
Description
Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.
Instructions
Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.
Assessment Procedures
SC-10.1 - CCI-001133
The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
SC-10.2 - CCI-001134
The organization defines the time period of inactivity after which the information system terminates a network connection associated with a communications session.
Related Controls
  1. AC-17 - Remote Access
  2. SC-23 - Session Authenticity
References
Enhancements
TRUSTED PATH
RMF Control
SC-11
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Trusted paths are mechanisms by which users can communicate (using input devices such as keyboards) directly with the security functions of systems with the requisite assurance to support security policies. Trusted path mechanisms can only be activated by users or the security functions of organizational systems. User responses that occur via trusted paths are protected from modification by and disclosure to untrusted applications. Organizations employ trusted paths for trustworthy, high-assurance connections between security functions of systems and users, including during system logons. The original implementations of trusted paths employed an out-of-band signal to initiate the path, such as using the <BREAK> key, which does not transmit characters that can be spoofed. In later implementations, a key combination that could not be hijacked was used (e.g., the <CTRL> + <ALT> + <DEL> keys). Such key combinations, however, are platform-specific and may not provide a trusted path implementation in every case. The enforcement of trusted communications paths is provided by a specific implementation that meets the reference monitor concept.
Instructions
SC-11a.
Provide a [Selection: physically; logically] isolated trusted communications path for communications between the user and the trusted components of the system; and
SC-11b.
Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: [Assignment: organization-defined security functions].
Assessment Procedures
SC-11.1 - CCI-001135
The information system establishes a trusted communications path between the user and organization-defined security functions within the information system.
SC-11.2 - CCI-001661
The organization defines the security functions, to minimally include information system authentication and re-authentication, within the information system to be included in a trusted communications path.
Related Controls
  1. AC-16 - Security And Privacy Attributes
  2. AC-25 - Reference Monitor
  3. SC-12 - Cryptographic Key Establishment And Management
  4. SC-23 - Session Authenticity
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
SC-11(1) - Irrefutable Communications Path
CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
RMF Control
SC-12
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. NIST CMVP and NIST CAVP provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.
Instructions
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
Assessment Procedures
SC-12.1 - CCI-002428
The organization defines the requirements for cryptographic key generation to be employed within the information system.
SC-12.2 - CCI-002429
The organization defines the requirements for cryptographic key distribution to be employed within the information system.
SC-12.3 - CCI-002430
The organization defines the requirements for cryptographic key storage to be employed within the information system.
SC-12.4 - CCI-002431
The organization defines the requirements for cryptographic key access to be employed within the information system.
SC-12.5 - CCI-002432
The organization defines the requirements for cryptographic key destruction to be employed within the information system.
SC-12.6 - CCI-002433
The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation.
SC-12.7 - CCI-002434
The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key distribution.
SC-12.8 - CCI-002435
The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key storage.
SC-12.9 - CCI-002436
The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key access.
SC-12.10 - CCI-002437
The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key destruction.
SC-12.11 - CCI-002438
The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation.
SC-12.12 - CCI-002439
The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key distribution.
SC-12.13 - CCI-002440
The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key storage.
SC-12.14 - CCI-002441
The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key access.
SC-12.15 - CCI-002442
The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key destruction.
Related Controls
  1. AC-17 - Remote Access
  2. AU-9 - Protection Of Audit Information
  3. AU-10 - Non-Repudiation
  4. CM-3 - Configuration Change Control
  5. IA-3 - Device Identification And Authentication
  6. IA-7 - Cryptographic Module Authentication
  7. SA-4 - Acquisition Process
  8. SA-8 - Security And Privacy Engineering Principles
  9. SA-9 - External System Services
  10. SC-8 - Transmission Confidentiality And Integrity
  11. SC-11 - Trusted Path
  12. SC-12 - Cryptographic Key Establishment And Management
  13. SC-13 - Cryptographic Protection
  14. SC-17 - Public Key Infrastructure Certificates
  15. SC-20 - Secure Name/Address Resolution Service (Authoritative Source)
  16. SC-37 - Out-Of-Band Channels
  17. SC-40 - Wireless Link Protection
  18. SI-3 - Malicious Code Protection
  19. SI-7 - Software, Firmware, And Information Integrity
References
  1. Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5., "SP 800-57-1" https://doi.org/10.6028/NIST.SP.800-57pt1r5
  2. Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1., "SP 800-57-2" https://doi.org/10.6028/NIST.SP.800-57pt2r1
  3. Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2., "SP 800-56C" https://doi.org/10.6028/NIST.SP.800-56Cr2
  4. Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3., "SP 800-56A" https://doi.org/10.6028/NIST.SP.800-56Ar3
  5. Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2., "SP 800-56B" https://doi.org/10.6028/NIST.SP.800-56Br2
  6. Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1., "SP 800-57-3" https://doi.org/10.6028/NIST.SP.800-57pt3r1
  7. Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956., "IR 7956" https://doi.org/10.6028/NIST.IR.7956
  8. Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020., "SP 800-63-3" https://doi.org/10.6028/NIST.SP.800-63-3
  9. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
  10. Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966., "IR 7966" https://doi.org/10.6028/NIST.IR.7966
Enhancements
SC-12(1) - Availability
Maintain availability of information in the event of the loss of cryptographic keys by users.
SC-12(2) - Symmetric Keys
Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; NSA-approved] key management technology and processes.
SC-12(3) - Asymmetric Keys
Produce, control, and distribute asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; prepositioned keying material; DoD-approved or DoD-issued Medium Assurance PKI certificates; DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user’s private key; certificates issued in accordance with organization-defined requirements].
SC-12(4) - Pki Certificates
[Withdrawn: Incorporated into SC-12(3)].
SC-12(5) - Pki Certificates / Hardware Tokens
[Withdrawn: Incorporated into SC-12(3)].
SC-12(6) - Physical Control Of Keys
Maintain physical control of cryptographic keys when stored information is encrypted by external service providers.
CRYPTOGRAPHIC PROTECTION
RMF Control
SC-13
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
Instructions
SC-13a.
Determine the [Assignment: organization-defined cryptographic uses]; and
SC-13b.
Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use].
Assessment Procedures
SC-13.1 - CCI-002449
The organization defines the cryptographic uses, and type of cryptography required for each use, to be implemented by the information system.
SC-13.2 - CCI-002450
The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Related Controls
  1. AC-2 - Account Management
  2. AC-3 - Access Enforcement
  3. AC-7 - Unsuccessful Logon Attempts
  4. AC-17 - Remote Access
  5. AC-18 - Wireless Access
  6. AC-19 - Access Control For Mobile Devices
  7. AU-9 - Protection Of Audit Information
  8. AU-10 - Non-Repudiation
  9. CM-11 - User-Installed Software
  10. CP-9 - System Backup
  11. IA-3 - Device Identification And Authentication
  12. IA-5 - Authenticator Management
  13. IA-7 - Cryptographic Module Authentication
  14. MA-4 - Nonlocal Maintenance
  15. MP-2 - Media Access
  16. MP-4 - Media Storage
  17. MP-5 - Media Transport
  18. SA-4 - Acquisition Process
  19. SA-8 - Security And Privacy Engineering Principles
  20. SA-9 - External System Services
  21. SC-8 - Transmission Confidentiality And Integrity
  22. SC-12 - Cryptographic Key Establishment And Management
  23. SC-20 - Secure Name/Address Resolution Service (Authoritative Source)
  24. SC-23 - Session Authenticity
  25. SC-28 - Protection Of Information At Rest
  26. SC-40 - Wireless Link Protection
  27. SI-3 - Malicious Code Protection
  28. SI-7 - Software, Firmware, And Information Integrity
References
  1. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
Enhancements
SC-13(1) - Fips-Validated Cryptography
[Withdrawn: Incorporated into SC-13].
SC-13(2) - Nsa-Approved Cryptography
[Withdrawn: Incorporated into SC-13].
SC-13(3) - Individuals Without Formal Access Approvals
[Withdrawn: Incorporated into SC-13].
SC-13(4) - Digital Signatures
[Withdrawn: Incorporated into SC-13].
PUBLIC ACCESS PROTECTIONS
RMF Control
SC-14
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into AC-2, AC-3, AC-5, AC-6, SI-3, SI-4, SI-5, SI-7, SI-10].
Assessment Procedures
Related Controls
References
Enhancements
COLLABORATIVE COMPUTING DEVICES AND APPLICATIONS
RMF Control
SC-15
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated.
Instructions
SC-15a.
Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and
SC-15b.
Provide an explicit indication of use to users physically present at the devices.
Assessment Procedures
SC-15.1 - CCI-001150
The information system prohibits remote activation of collaborative computing devices excluding the organization-defined exceptions where remote activation is to be allowed.
SC-15.2 - CCI-001151
The organization defines exceptions to the prohibiting of collaborative computing devices where remote activation is to be allowed.
SC-15.3 - CCI-001152
The information system provides an explicit indication of use to users physically present at collaborative computing devices.
Related Controls
  1. AC-21 - Information Sharing
  2. SC-42 - Sensor Capability And Data
References
Enhancements
SC-15(1) - Physical Or Logical Disconnect
Provide [Selection (one or more): physical; logical] disconnect of collaborative computing devices in a manner that supports ease of use.
SC-15(2) - Blocking Inbound And Outbound Communications Traffic
[Withdrawn: Incorporated into SC-7].
SC-15(3) - Disabling And Removal In Secure Work Areas
Disable or remove collaborative computing devices and applications from [Assignment: organization-defined systems or system components] in [Assignment: organization-defined secure work areas].
SC-15(4) - Explicitly Indicate Current Participants
Provide an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences].
TRANSMISSION OF SECURITY AND PRIVACY ATTRIBUTES
RMF Control
SC-16
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Security and privacy attributes can be explicitly or implicitly associated with the information contained in organizational systems or system components. Attributes are abstractions that represent the basic properties or characteristics of an entity with respect to protecting information or the management of personally identifiable information. Attributes are typically associated with internal data structures, including records, buffers, and files within the system. Security and privacy attributes are used to implement access control and information flow control policies; reflect special dissemination, management, or distribution instructions, including permitted uses of personally identifiable information; or support other aspects of the information security and privacy policies. Privacy attributes may be used independently or in conjunction with security attributes.
Instructions
Associate [Assignment: organization-defined security and privacy attributes] with information exchanged between systems and between system components.
Assessment Procedures
SC-16.1 - CCI-001157
The information system associates organization-defined security attributes with information exchanged between information systems.
SC-16.2 - CCI-002454
The organization defines the security attributes the information system is to associate with the information being exchanged between information systems and between information system components.
SC-16.3 - CCI-002455
The information system associates organization-defined security attributes with information exchanged between information system components.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-4 - Information Flow Enforcement
  3. AC-16 - Security And Privacy Attributes
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
SC-16(1) - Integrity Verification
Verify the integrity of transmitted security and privacy attributes.
SC-16(2) - Anti-Spoofing Mechanisms
Implement anti-spoofing mechanisms to prevent adversaries from falsifying the security attributes indicating the successful application of the security process.
SC-16(3) - Cryptographic Binding
Implement [Assignment: organization-defined mechanisms or techniques] to bind security and privacy attributes to transmitted information.
PUBLIC KEY INFRASTRUCTURE CERTIFICATES
RMF Control
SC-17
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
MODERATE, HIGH
Description
Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates.
Instructions
SC-17a.
Issue public key certificates under an [Assignment: organization-defined certificate policy] or obtain public key certificates from an approved service provider; and
SC-17b.
Include only approved trust anchors in trust stores or certificate stores managed by the organization.
Assessment Procedures
SC-17.1 - CCI-001159
The organization issues public key certificates under an organization-defined certificate policy or obtains public key certificates from an approved service provider.
SC-17.2 - CCI-002456
The organization defines the certificate policy employed to issue public key certificates.
Related Controls
  1. AU-10 - Non-Repudiation
  2. IA-5 - Authenticator Management
  3. SC-12 - Cryptographic Key Establishment And Management
References
  1. Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5., "SP 800-57-1" https://doi.org/10.6028/NIST.SP.800-57pt1r5
  2. Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1., "SP 800-57-2" https://doi.org/10.6028/NIST.SP.800-57pt2r1
  3. Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1., "SP 800-57-3" https://doi.org/10.6028/NIST.SP.800-57pt3r1
  4. Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020., "SP 800-63-3" https://doi.org/10.6028/NIST.SP.800-63-3
  5. Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32., "SP 800-32" https://doi.org/10.6028/NIST.SP.800-32
Enhancements
MOBILE CODE
RMF Control
SC-18
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
MODERATE, HIGH
Description
Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
Instructions
SC-18a.
Define acceptable and unacceptable mobile code and mobile code technologies; and
SC-18b.
Authorize, monitor, and control the use of mobile code within the system.
Assessment Procedures
SC-18.1 - CCI-001160
The organization defines acceptable and unacceptable mobile code and mobile code technologies.
SC-18.2 - CCI-001161
The organization establishes usage restrictions for acceptable mobile code and mobile code technologies.
SC-18.3 - CCI-001162
The organization establishes implementation guidance for acceptable mobile code and mobile code technologies.
SC-18.4 - CCI-001163
The organizations authorizes the use of mobile code within the information system.
SC-18.5 - CCI-001164
The organization monitors the use of mobile code within the information system.
SC-18.6 - CCI-001165
The organization controls the use of mobile code within the information system.
Related Controls
  1. AU-2 - Event Logging
  2. AU-12 - Audit Record Generation
  3. CM-2 - Baseline Configuration
  4. CM-6 - Configuration Settings
  5. SI-3 - Malicious Code Protection
References
  1. Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2., "SP 800-28" https://doi.org/10.6028/NIST.SP.800-28ver2
Enhancements
SC-18(1) - Identify Unacceptable Code And Take Corrective Actions
Identify [Assignment: organization-defined unacceptable mobile code] and take [Assignment: organization-defined corrective actions].
SC-18(2) - Acquisition, Development, And Use
Verify that the acquisition, development, and use of mobile code to be deployed in the system meets [Assignment: organization-defined mobile code requirements].
SC-18(3) - Prevent Downloading And Execution
Prevent the download and execution of [Assignment: organization-defined unacceptable mobile code].
SC-18(4) - Prevent Automatic Execution
Prevent the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforce [Assignment: organization-defined actions] prior to executing the code.
SC-18(5) - Allow Execution Only In Confined Environments
Allow execution of permitted mobile code only in confined virtual machine environments.
VOICE OVER INTERNET PROTOCOL
RMF Control
SC-19
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
Description
Instructions
Technology-specific; addressed as any other technology or protocol.
Assessment Procedures
SC-19.1 - CCI-001173
The organization establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously.
SC-19.2 - CCI-001174
The organization establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously.
SC-19.3 - CCI-001175
The organization authorizes the use of VoIP within the information system.
SC-19.4 - CCI-001176
The organization monitors the use of VoIP within the information system.
SC-19.5 - CCI-001177
The organization controls the use of VoIP within the information system.
Related Controls
References
Enhancements
SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
RMF Control
SC-20
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data.
Instructions
SC-20a.
Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
SC-20b.
Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
Assessment Procedures
SC-20.1 - CCI-001178
The information system provides additional data origin authentication artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.
SC-20.2 - CCI-002462
The information system provides additional integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.
SC-20.3 - CCI-001179
The information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child zones.
SC-20.4 - CCI-001663
The information system, when operating as part of a distributed, hierarchical namespace, provides the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).
Related Controls
  1. AU-10 - Non-Repudiation
  2. SC-8 - Transmission Confidentiality And Integrity
  3. SC-12 - Cryptographic Key Establishment And Management
  4. SC-13 - Cryptographic Protection
  5. SC-21 - Secure Name/Address Resolution Service (Recursive Or Caching Resolver)
  6. SC-22 - Architecture And Provisioning For Name/Address Resolution Service
References
  1. Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2., "SP 800-81-2" https://doi.org/10.6028/NIST.SP.800-81-2
  2. National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4., "FIPS 186-4" https://doi.org/10.6028/NIST.FIPS.186-4
  3. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
Enhancements
SC-20(1) - Child Subspaces
[Withdrawn: Incorporated into SC-20].
SC-20(2) - Data Origin And Integrity
Provide data origin and integrity protection artifacts for internal name/address resolution queries.
SECURE NAME/ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
RMF Control
SC-21
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data.
Instructions
Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
Assessment Procedures
SC-21.1 - CCI-002465
The information system requests data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.
SC-21.2 - CCI-002466
The information system requests data integrity verification on the name/address resolution responses the system receives from authoritative sources.
SC-21.3 - CCI-002467
The information system performs data integrity verification on the name/address resolution responses the system receives from authoritative sources.
SC-21.4 - CCI-002468
The information system performs data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.
Related Controls
  1. SC-20 - Secure Name/Address Resolution Service (Authoritative Source)
  2. SC-22 - Architecture And Provisioning For Name/Address Resolution Service
References
  1. Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2., "SP 800-81-2" https://doi.org/10.6028/NIST.SP.800-81-2
Enhancements
SC-21(1) - Data Origin And Integrity
[Withdrawn: Incorporated into SC-21].
ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION SERVICE
RMF Control
SC-22
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists).
Instructions
Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.
Assessment Procedures
SC-22.1 - CCI-001182
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant.
SC-22.2 - CCI-001183
The information systems that collectively provide name/address resolution service for an organization implement internal/external role separation.
Related Controls
  1. SC-2 - Separation Of System And User Functionality
  2. SC-20 - Secure Name/Address Resolution Service (Authoritative Source)
  3. SC-21 - Secure Name/Address Resolution Service (Recursive Or Caching Resolver)
  4. SC-24 - Fail In Known State
References
  1. Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2., "SP 800-81-2" https://doi.org/10.6028/NIST.SP.800-81-2
Enhancements
SESSION AUTHENTICITY
RMF Control
SC-23
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
MODERATE, HIGH
Description
Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into sessions.
Instructions
Protect the authenticity of communications sessions.
Assessment Procedures
SC-23.1 - CCI-001184
The information system protects the authenticity of communications sessions.
Related Controls
  1. AU-10 - Non-Repudiation
  2. SC-8 - Transmission Confidentiality And Integrity
  3. SC-10 - Network Disconnect
  4. SC-11 - Trusted Path
References
  1. Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1., "SP 800-77" https://doi.org/10.6028/NIST.SP.800-77r1
  2. Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113., "SP 800-113" https://doi.org/10.6028/NIST.SP.800-113
  3. McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2., "SP 800-52" https://doi.org/10.6028/NIST.SP.800-52r2
  4. Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95., "SP 800-95" https://doi.org/10.6028/NIST.SP.800-95
Enhancements
SC-23(1) - Invalidate Session Identifiers At Logout
Invalidate session identifiers upon user logout or other session termination.
SC-23(2) - User-Initiated Logouts And Message Displays
[Withdrawn: Incorporated into AC-12(1)].
SC-23(3) - Unique System-Generated Session Identifiers
Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated.
SC-23(4) - Unique Session Identifiers With Randomization
[Withdrawn: Incorporated into SC-23(3)].
SC-23(5) - Allowed Certificate Authorities
Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.
FAIL IN KNOWN STATE
RMF Control
SC-24
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
HIGH
Description
Failure in a known state addresses security concerns in accordance with the mission and business needs of organizations. Failure in a known state prevents the loss of confidentiality, integrity, or availability of information in the event of failures of organizational systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving system state information facilitates system restart and return to the operational mode with less disruption of mission and business processes.
Instructions
Fail to a [Assignment: organization-defined known system state] for the following failures on the indicated components while preserving [Assignment: organization-defined system state information] in failure: [Assignment: list of organization-defined types of system failures on organization-defined system components].
Assessment Procedures
SC-24.1 - CCI-001190
The information system fails to an organization-defined known-state for organization-defined types of failures.
SC-24.2 - CCI-001191
The organization defines the known states the information system should fail to in the event of a organization-defined system failure.
SC-24.3 - CCI-001192
The organization defines types of failures for which the information system should fail to an organization-defined known state.
SC-24.4 - CCI-001193
The organization defines system state information that should be preserved in the event of a system failure.
SC-24.5 - CCI-001665
The information system preserves organization-defined system state information in the event of a system failure.
Related Controls
  1. CP-2 - Contingency Plan
  2. CP-4 - Contingency Plan Testing
  3. CP-10 - System Recovery And Reconstitution
  4. CP-12 - Safe Mode
  5. SA-8 - Security And Privacy Engineering Principles
  6. SC-7 - Boundary Protection
  7. SC-22 - Architecture And Provisioning For Name/Address Resolution Service
  8. SI-13 - Predictable Failure Prevention
References
Enhancements
THIN NODES
RMF Control
SC-25
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
The deployment of system components with minimal functionality reduces the need to secure every endpoint and may reduce the exposure of information, systems, and services to attacks. Reduced or minimal functionality includes diskless nodes and thin client technologies.
Instructions
Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components].
Assessment Procedures
SC-25.1 - CCI-001194
The information system employs organization-defined information system components with minimal functionality and information storage.
SC-25.2 - CCI-002471
The organization defines the information system components, with minimal functionality and information storage, to be employed.
Related Controls
  1. SC-30 - Concealment And Misdirection
  2. SC-44 - Detonation Chambers
References
Enhancements
DECOYS
RMF Control
SC-26
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Decoys (i.e., honeypots, honeynets, or deception nets) are established to attract adversaries and deflect attacks away from the operational systems that support organizational mission and business functions. Use of decoys requires some supporting isolation measures to ensure that any deflected malicious code does not infect organizational systems. Depending on the specific usage of the decoy, consultation with the Office of the General Counsel before deployment may be needed.
Instructions
Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks.
Assessment Procedures
SC-26.1 - CCI-001195
The information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks.
Related Controls
  1. RA-5 - Vulnerability Monitoring And Scanning
  2. SC-7 - Boundary Protection
  3. SC-30 - Concealment And Misdirection
  4. SC-35 - External Malicious Code Identification
  5. SC-44 - Detonation Chambers
  6. SI-3 - Malicious Code Protection
  7. SI-4 - System Monitoring
References
Enhancements
SC-26(1) - Detection Of Malicious Code
[Withdrawn: Incorporated into SC-35].
PLATFORM-INDEPENDENT APPLICATIONS
RMF Control
SC-27
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Platforms are combinations of hardware, firmware, and software components used to execute software applications. Platforms include operating systems, the underlying computer architectures, or both. Platform-independent applications are applications with the capability to execute on multiple platforms. Such applications promote portability and reconstitution on different platforms. Application portability and the ability to reconstitute on different platforms increase the availability of mission-essential functions within organizations in situations where systems with specific operating systems are under attack.
Instructions
Include within organizational systems the following platform independent applications: [Assignment: organization-defined platform-independent applications].
Assessment Procedures
SC-27.1 - CCI-001197
The information system includes organization-defined platform-independent applications.
SC-27.2 - CCI-001198
The organization defines applications that are platform independent.
Related Controls
  1. SC-29 - Heterogeneity
References
Enhancements
PROTECTION OF INFORMATION AT REST
RMF Control
SC-28
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
MODERATE, HIGH
Description
Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage.
Instructions
Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest].
Assessment Procedures
SC-28.1 - CCI-001199
The information system protects the confidentiality and/or integrity of organization-defined information at rest.
SC-28.2 - CCI-002472
The organization defines the information at rest that is to be protected by the information system.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-4 - Information Flow Enforcement
  3. AC-6 - Least Privilege
  4. AC-19 - Access Control For Mobile Devices
  5. CA-7 - Continuous Monitoring
  6. CM-3 - Configuration Change Control
  7. CM-5 - Access Restrictions For Change
  8. CM-6 - Configuration Settings
  9. CP-9 - System Backup
  10. MP-4 - Media Storage
  11. MP-5 - Media Transport
  12. PE-3 - Physical Access Control
  13. SC-8 - Transmission Confidentiality And Integrity
  14. SC-12 - Cryptographic Key Establishment And Management
  15. SC-13 - Cryptographic Protection
  16. SC-34 - Non-Modifiable Executable Programs
  17. SI-3 - Malicious Code Protection
  18. SI-7 - Software, Firmware, And Information Integrity
  19. SI-16 - Memory Protection
References
  1. Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5., "SP 800-57-1" https://doi.org/10.6028/NIST.SP.800-57pt1r5
  2. Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1., "SP 800-57-2" https://doi.org/10.6028/NIST.SP.800-57pt2r1
  3. Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2., "SP 800-56C" https://doi.org/10.6028/NIST.SP.800-56Cr2
  4. Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3., "SP 800-56A" https://doi.org/10.6028/NIST.SP.800-56Ar3
  5. Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2., "SP 800-56B" https://doi.org/10.6028/NIST.SP.800-56Br2
  6. Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1., "SP 800-57-3" https://doi.org/10.6028/NIST.SP.800-57pt3r1
  7. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  8. Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111., "SP 800-111" https://doi.org/10.6028/NIST.SP.800-111
  9. Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1., "SP 800-124" https://doi.org/10.6028/NIST.SP.800-124r1
Enhancements
SC-28(1) - Cryptographic Protection
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information].
SC-28(2) - Offline Storage
Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information].
SC-28(3) - Cryptographic Keys
Provide protected storage for cryptographic keys [Selection: [Assignment: organization-defined safeguards]; hardware-protected key store].
HETEROGENEITY
RMF Control
SC-29
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Increasing the diversity of information technologies within organizational systems reduces the impact of potential exploitations or compromises of specific technologies. Such diversity protects against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one system component will be effective against other system components, thus further increasing the adversary work factor to successfully complete planned attacks. An increase in diversity may add complexity and management overhead that could ultimately lead to mistakes and unauthorized configurations.
Instructions
Employ a diverse set of information technologies for the following system components in the implementation of the system: [Assignment: organization-defined system components].
Assessment Procedures
SC-29.1 - CCI-001201
The organization employs a diverse set of information technologies for organization-defined information system components in the implementation of the information system.
SC-29.2 - CCI-002480
The organization defines the information system components for which a diverse set of information technologies are to be employed.
Related Controls
  1. AU-9 - Protection Of Audit Information
  2. PL-8 - Security And Privacy Architectures
  3. SC-27 - Platform-Independent Applications
  4. SC-30 - Concealment And Misdirection
  5. SR-3 - Supply Chain Controls And Processes
References
Enhancements
SC-29(1) - Virtualization Techniques
Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency].
CONCEALMENT AND MISDIRECTION
RMF Control
SC-30
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Concealment and misdirection techniques can significantly reduce the targeting capabilities of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. For example, virtualization techniques provide organizations with the ability to disguise systems, potentially reducing the likelihood of successful attacks without the cost of having multiple platforms. The increased use of concealment and misdirection techniques and methods—including randomness, uncertainty, and virtualization—may sufficiently confuse and mislead adversaries and subsequently increase the risk of discovery and/or exposing tradecraft. Concealment and misdirection techniques may provide additional time to perform core mission and business functions. The implementation of concealment and misdirection techniques may add to the complexity and management overhead required for the system.
Instructions
Employ the following concealment and misdirection techniques for [Assignment: organization-defined systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries: [Assignment: organization-defined concealment and misdirection techniques].
Assessment Procedures
SC-30.1 - CCI-002482
The organization defines the concealment and misdirection techniques employed for organization-defined information systems to confuse and mislead adversaries.
SC-30.2 - CCI-002483
The organization defines the information systems for which organization-defined concealment and misdirection techniques are to be employed.
SC-30.3 - CCI-002484
The organization defines the time periods at which it will employ organization-defined concealment and misdirection techniques on organization-defined information systems.
SC-30.4 - CCI-002485
The organization employs organization-defined concealment and misdirection techniques for organization-defined information systems at organization-defined time periods to confuse and mislead adversaries.
Related Controls
  1. AC-6 - Least Privilege
  2. SC-25 - Thin Nodes
  3. SC-26 - Decoys
  4. SC-29 - Heterogeneity
  5. SC-44 - Detonation Chambers
  6. SI-14 - Non-Persistence
References
Enhancements
SC-30(1) - Virtualization Techniques
[Withdrawn: Incorporated into SC-29(1)].
SC-30(2) - Randomness
Employ [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets.
SC-30(3) - Change Processing And Storage Locations
Change the location of [Assignment: organization-defined processing and/or storage] [Selection: [Assignment: organization-defined time frequency]; at random time intervals].
SC-30(4) - Misleading Information
Employ realistic, but misleading information in [Assignment: organization-defined system components] about its security state or posture.
SC-30(5) - Concealment Of System Components
Employ the following techniques to hide or conceal [Assignment: organization-defined system components]: [Assignment: organization-defined techniques].
COVERT CHANNEL ANALYSIS
RMF Control
SC-31
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Developers are in the best position to identify potential areas within systems that might lead to covert channels. Covert channel analysis is a meaningful activity when there is the potential for unauthorized information flows across security domains, such as in the case of systems that contain export-controlled information and have connections to external networks (i.e., networks that are not controlled by organizations). Covert channel analysis is also useful for multilevel secure systems, multiple security level systems, and cross-domain systems.
Instructions
SC-31a.
Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and
SC-31b.
Estimate the maximum bandwidth of those channels.
Assessment Procedures
SC-31.1 - CCI-002498
The organization performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert storage and/or timing channels.
SC-31.2 - CCI-002499
The organization estimates the maximum bandwidth of the covert storage and timing channels.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-4 - Information Flow Enforcement
  3. SA-8 - Security And Privacy Engineering Principles
  4. SI-11 - Error Handling
References
Enhancements
SC-31(1) - Test Covert Channels For Exploitability
Test a subset of the identified covert channels to determine the channels that are exploitable.
SC-31(2) - Maximum Bandwidth
Reduce the maximum bandwidth for identified covert [Selection (one or more): storage; timing] channels to [Assignment: organization-defined values].
SC-31(3) - Measure Bandwidth In Operational Environments
Measure the bandwidth of [Assignment: organization-defined subset of identified covert channels] in the operational environment of the system.
SYSTEM PARTITIONING
RMF Control
SC-32
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
System partitioning is part of a defense-in-depth protection strategy. Organizations determine the degree of physical separation of system components. Physical separation options include physically distinct components in separate racks in the same room, critical components in separate rooms, and geographical separation of critical components. Security categorization can guide the selection of candidates for domain partitioning. Managed interfaces restrict or prohibit network access and information flow among partitioned system components.
Instructions
Partition the system into [Assignment: organization-defined system components] residing in separate [Selection: physical; logical] domains or environments based on [Assignment: organization-defined circumstances for physical or logical separation of components].
Assessment Procedures
SC-32.1 - CCI-002504
The organization defines the information system components into which the information system is partitioned.
SC-32.2 - CCI-002505
The organization defines the circumstances under which the information system components are to be physically separated to support partitioning.
SC-32.3 - CCI-002506
The organization partitions the information system into organization-defined information system components residing in separate physical domains or environments based on organization-defined circumstances for physical separation of components.
Related Controls
  1. AC-4 - Information Flow Enforcement
  2. AC-6 - Least Privilege
  3. SA-8 - Security And Privacy Engineering Principles
  4. SC-2 - Separation Of System And User Functionality
  5. SC-3 - Security Function Isolation
  6. SC-7 - Boundary Protection
  7. SC-36 - Distributed Processing And Storage
References
  1. National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199., "FIPS 199" https://doi.org/10.6028/NIST.FIPS.199
  2. Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179., "IR 8179" https://doi.org/10.6028/NIST.IR.8179
Enhancements
SC-32(1) - Separate Physical Domains For Privileged Functions
Partition privileged functions into separate physical domains.
TRANSMISSION PREPARATION INTEGRITY
RMF Control
SC-33
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into SC-8].
Assessment Procedures
Related Controls
References
Enhancements
NON-MODIFIABLE EXECUTABLE PROGRAMS
RMF Control
SC-34
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
The operating environment for a system contains the code that hosts applications, including operating systems, executives, or virtual machine monitors (i.e., hypervisors). It can also include certain applications that run directly on hardware platforms. Hardware-enforced, read-only media include Compact Disc-Recordable (CD-R) and Digital Versatile Disc-Recordable (DVD-R) disk drives as well as one-time, programmable, read-only memory. The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable, read-only memory can be accepted as read-only media provided that integrity can be adequately protected from the point of initial writing to the insertion of the memory into the system, and there are reliable hardware protections against reprogramming the memory while installed in organizational systems.
Instructions
For [Assignment: organization-defined system components], load and execute:
SC-34a.
The operating environment from hardware-enforced, read-only media; and
SC-34b.
The following applications from hardware-enforced, read-only media: [Assignment: organization-defined applications].
Assessment Procedures
SC-34.1 - CCI-001212
The organization defines information system components for which the operating environment and organization-defined applications are loaded and executed from hardware-enforced, read-only media.
SC-34.2 - CCI-001210
The information system, at organization-defined information system components, loads and executes the operating environment from hardware-enforced, read-only media.
SC-34.3 - CCI-001211
The information system, at organization-defined information system components, loads and executes organization-defined applications from hardware-enforced, read-only media.
SC-34.4 - CCI-001213
The organization defines applications that will be loaded and executed from hardware-enforced, read-only media.
Related Controls
  1. AC-3 - Access Enforcement
  2. SI-7 - Software, Firmware, And Information Integrity
  3. SI-14 - Non-Persistence
References
Enhancements
SC-34(1) - No Writable Storage
Employ [Assignment: organization-defined system components] with no writeable storage that is persistent across component restart or power on/off.
SC-34(2) - Integrity Protection On Read-Only Media
Protect the integrity of information prior to storage on read-only media and control the media after such information has been recorded onto the media.
SC-34(3) - Hardware-Based Protection
[Withdrawn: Moved to SC-51].
EXTERNAL MALICIOUS CODE IDENTIFICATION
RMF Control
SC-35
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
External malicious code identification differs from decoys in SC-26 in that the components actively probe networks, including the Internet, in search of malicious code contained on external websites. Like decoys, the use of external malicious code identification techniques requires some supporting isolation measures to ensure that any malicious code discovered during the search and subsequently executed does not infect organizational systems. Virtualization is a common technique for achieving such isolation.
Instructions
Include system components that proactively seek to identify network-based malicious code or malicious websites.
Assessment Procedures
SC-35.1 - CCI-001196
The information system includes components that proactively seek to identify malicious websites and/or web-based malicious code.
Related Controls
  1. SC-7 - Boundary Protection
  2. SC-26 - Decoys
  3. SC-44 - Detonation Chambers
  4. SI-3 - Malicious Code Protection
  5. SI-4 - System Monitoring
References
Enhancements
DISTRIBUTED PROCESSING AND STORAGE
RMF Control
SC-36
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Distributing processing and storage across multiple physical locations or logical domains provides a degree of redundancy or overlap for organizations. The redundancy and overlap increase the work factor of adversaries to adversely impact organizational operations, assets, and individuals. The use of distributed processing and storage does not assume a single primary processing or storage location. Therefore, it allows for parallel processing and storage.
Instructions
Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components].
Assessment Procedures
SC-36.1 - CCI-002513
The organization defines the processing that is to be distributed across multiple physical locations.
SC-36.2 - CCI-002514
The organization defines the storage that is to be distributed across multiple physical locations.
SC-36.3 - CCI-002515
The organization distributes organization-defined processing across multiple physical locations.
SC-36.4 - CCI-002516
The organization distributes organization-defined storage across multiple physical locations.
Related Controls
  1. CP-6 - Alternate Storage Site
  2. CP-7 - Alternate Processing Site
  3. PL-8 - Security And Privacy Architectures
  4. SC-32 - System Partitioning
References
  1. Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2., "SP 800-160-2" https://doi.org/10.6028/NIST.SP.800-160v2
Enhancements
SC-36(1) - Polling Techniques
SC-36(2) - Synchronization
Synchronize the following duplicate systems or system components: [Assignment: organization-defined duplicate systems or system components].
OUT-OF-BAND CHANNELS
RMF Control
SC-37
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates.
Instructions
Employ the following out-of-band channels for the physical delivery or electronic transmission of [Assignment: organization-defined information, system components, or devices] to [Assignment: organization-defined individuals or systems]: [Assignment: organization-defined out-of-band channels].
Assessment Procedures
SC-37.1 - CCI-002521
The organization defines the out-of-band channels to be employed for the physical delivery or electronic transmission of organization-defined information, information system components, or devices.
SC-37.2 - CCI-002522
The organization defines the information, information system components or devices that are to be electronically transmitted or physically delivered via organization-defined out-of-band channels.
SC-37(1).1 - CCI-002523
The organization defines the individuals or information systems authorized to be recipients of organization-defined information, information system components, or devices to be delivered by employing organization-defined out-of-band channels for electronic transmission or physical delivery.
SC-37.4 - CCI-002524
The organization employs organization-defined out-of-band channels for the electronic transmission or physical delivery of organization-defined information, information system components, or devices to organization-defined individuals or information systems.
Related Controls
  1. AC-2 - Account Management
  2. CM-3 - Configuration Change Control
  3. CM-5 - Access Restrictions For Change
  4. CM-7 - Least Functionality
  5. IA-2 - Identification And Authentication (Organizational Users)
  6. IA-4 - Identifier Management
  7. IA-5 - Authenticator Management
  8. MA-4 - Nonlocal Maintenance
  9. SC-12 - Cryptographic Key Establishment And Management
  10. SI-3 - Malicious Code Protection
  11. SI-4 - System Monitoring
  12. SI-7 - Software, Firmware, And Information Integrity
References
  1. Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5., "SP 800-57-1" https://doi.org/10.6028/NIST.SP.800-57pt1r5
  2. Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1., "SP 800-57-2" https://doi.org/10.6028/NIST.SP.800-57pt2r1
  3. Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1., "SP 800-57-3" https://doi.org/10.6028/NIST.SP.800-57pt3r1
Enhancements
SC-37(1) - Ensure Delivery And Transmission
Employ [Assignment: organization-defined controls] to ensure that only [Assignment: organization-defined individuals or systems] receive the following information, system components, or devices: [Assignment: organization-defined information, system components, or devices].
OPERATIONS SECURITY
RMF Control
SC-38
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Operations security (OPSEC) is a systematic process by which potential adversaries can be denied information about the capabilities and intentions of organizations by identifying, controlling, and protecting generally unclassified information that specifically relates to the planning and execution of sensitive organizational activities. The OPSEC process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and the application of appropriate countermeasures. OPSEC controls are applied to organizational systems and the environments in which those systems operate. OPSEC controls protect the confidentiality of information, including limiting the sharing of information with suppliers, potential suppliers, and other non-organizational elements and individuals. Information critical to organizational mission and business functions includes user identities, element uses, suppliers, supply chain processes, functional requirements, security requirements, system design specifications, testing and evaluation protocols, and security control implementation details.
Instructions
Employ the following operations security controls to protect key organizational information throughout the system development life cycle: [Assignment: organization-defined operations security controls].
Assessment Procedures
SC-38.1 - CCI-002528
The organization defines the operations security safeguards to be employed to protect key organizational information throughout the system development life cycle.
SC-38.2 - CCI-002529
The organization employs organization-defined operations security safeguards to protect key organizational information throughout the system development life cycle.
Related Controls
  1. CA-2 - Control Assessments
  2. CA-7 - Continuous Monitoring
  3. PL-1 - Policy And Procedures
  4. PM-9 - Risk Management Strategy
  5. PM-12 - Insider Threat Program
  6. RA-2 - Security Categorization
  7. RA-3 - Risk Assessment
  8. RA-5 - Vulnerability Monitoring And Scanning
  9. SC-7 - Boundary Protection
  10. SR-3 - Supply Chain Controls And Processes
  11. SR-7 - Supply Chain Operations Security
References
Enhancements
PROCESS ISOLATION
RMF Control
SC-39
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
LOW, MODERATE, HIGH
Description
Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies.
Instructions
Maintain a separate execution domain for each executing system process.
Assessment Procedures
SC-39.1 - CCI-002530
The information system maintains a separate execution domain for each executing process.
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-4 - Information Flow Enforcement
  3. AC-6 - Least Privilege
  4. AC-25 - Reference Monitor
  5. SA-8 - Security And Privacy Engineering Principles
  6. SC-2 - Separation Of System And User Functionality
  7. SC-3 - Security Function Isolation
  8. SI-16 - Memory Protection
References
  1. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
Enhancements
SC-39(1) - Hardware Separation
Implement hardware separation mechanisms to facilitate process isolation.
SC-39(2) - Separate Execution Domain Per Thread
Maintain a separate execution domain for each thread in [Assignment: organization-defined multi-threaded processing].
WIRELESS LINK PROTECTION
RMF Control
SC-40
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Wireless link protection applies to internal and external wireless communication links that may be visible to individuals who are not authorized system users. Adversaries can exploit the signal parameters of wireless links if such links are not adequately protected. There are many ways to exploit the signal parameters of wireless links to gain intelligence, deny service, or spoof system users. Protection of wireless links reduces the impact of attacks that are unique to wireless systems. If organizations rely on commercial service providers for transmission services as commodity items rather than as fully dedicated services, it may not be possible to implement wireless link protections to the extent necessary to meet organizational security requirements.
Instructions
Protect external and internal [Assignment: organization-defined wireless links] from the following signal parameter attacks: [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks].
Assessment Procedures
SC-40.1 - CCI-002534
The organization defines types of signal parameter attacks or references to sources for such attacks from which the information system protects organization-defined wireless links.
SC-40.2 - CCI-002535
The organization defines the external and internal wireless links the information system is to protect from organization-defined types of signal parameter attacks or references to sources for such attacks.
SC-40.3 - CCI-002536
The information system protects organization-defined external and internal wireless links from organization-defined types of signal parameter attacks or references to sources for such attacks.
Related Controls
  1. AC-18 - Wireless Access
  2. SC-5 - Denial-Of-Service Protection
References
Enhancements
SC-40(1) - Electromagnetic Interference
Implement cryptographic mechanisms that achieve [Assignment: organization-defined level of protection] against the effects of intentional electromagnetic interference.
SC-40(2) - Reduce Detection Potential
Implement cryptographic mechanisms to reduce the detection potential of wireless links to [Assignment: organization-defined level of reduction].
SC-40(3) - Imitative Or Manipulative Communications Deception
Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.
SC-40(4) - Signal Parameter Identification
Implement cryptographic mechanisms to prevent the identification of [Assignment: organization-defined wireless transmitters] by using the transmitter signal parameters.
PORT AND I/O DEVICE ACCESS
RMF Control
SC-41
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Connection ports include Universal Serial Bus (USB), Thunderbolt, and Firewire (IEEE 1394). Input/output (I/O) devices include compact disc and digital versatile disc drives. Disabling or removing such connection ports and I/O devices helps prevent the exfiltration of information from systems and the introduction of malicious code from those ports or devices. Physically disabling or removing ports and/or devices is the stronger action.
Instructions
[Selection: Physically; Logically] disable or remove [Assignment: organization-defined connection ports or input/output devices] on the following systems or system components: [Assignment: organization-defined systems or system components].
Assessment Procedures
SC-41.1 - CCI-002544
The organization defines the information systems or information system components on which organization-defined connection ports or input/output devices are to be physically disabled or removed.
SC-41.2 - CCI-002545
The organization defines the connection ports or input/output devices that are to be physically disabled or removed from organization-defined information systems or information system components.
SC-41.3 - CCI-002546
The organization physically disables or removes organization-defined connection ports or input/output devices on organization-defined information systems or information system components.
Related Controls
  1. AC-20 - Use Of External Systems
  2. MP-7 - Media Use
References
Enhancements
SENSOR CAPABILITY AND DATA
RMF Control
SC-42
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Sensor capability and data applies to types of systems or system components characterized as mobile devices, such as cellular telephones, smart phones, and tablets. Mobile devices often include sensors that can collect and record data regarding the environment where the system is in use. Sensors that are embedded within mobile devices include microphones, cameras, Global Positioning System (GPS) mechanisms, and accelerometers. While the sensors on mobiles devices provide an important function, if activated covertly, such devices can potentially provide a means for adversaries to learn valuable information about individuals and organizations. For example, remotely activating the GPS function on a mobile device could provide an adversary with the ability to track the movements of an individual. Organizations may prohibit individuals from bringing cellular telephones or digital cameras into certain designated facilities or controlled areas within facilities where classified information is stored or sensitive conversations are taking place.
Instructions
SC-42a.
Prohibit [Selection (one or more): the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems]; the remote activation of environmental sensing capabilities on organizational systems or system components with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]]; and
SC-42b.
Provide an explicit indication of sensor use to [Assignment: organization-defined group of users].
Assessment Procedures
SC-42.1 - CCI-002547
The organization defines the exceptions where remote activation of sensors is allowed.
SC-42.2 - CCI-002548
The information system prohibits the remote activation of environmental sensing capabilities except for the organization-defined exceptions where remote activation of sensors is allowed.
SC-42.3 - CCI-002549
The organization defines the class of users to receive explicit indication of sensor use.
SC-42.4 - CCI-002550
The information system provides an explicit indication of sensor use to the organization-defined class of users.
Related Controls
  1. SC-15 - Collaborative Computing Devices And Applications
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1., "SP 800-124" https://doi.org/10.6028/NIST.SP.800-124r1
Enhancements
SC-42(1) - Reporting To Authorized Individuals Or Roles
Verify that the system is configured so that data or information collected by the [Assignment: organization-defined sensors] is only reported to authorized individuals or roles.
SC-42(2) - Authorized Use
Employ the following measures so that data or information collected by [Assignment: organization-defined sensors] is only used for authorized purposes: [Assignment: organization-defined measures].
SC-42(3) - Prohibit Use Of Devices
[Withdrawn: Incorporated into SC-42].
SC-42(4) - Notice Of Collection
Employ the following measures to facilitate an individual’s awareness that personally identifiable information is being collected by [Assignment: organization-defined sensors]: [Assignment: organization-defined measures].
SC-42(5) - Collection Minimization
Employ [Assignment: organization-defined sensors] that are configured to minimize the collection of information about individuals that is not needed.
USAGE RESTRICTIONS
RMF Control
SC-43
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Usage restrictions apply to all system components including but not limited to mobile code, mobile devices, wireless access, and wired and wireless peripheral components (e.g., copiers, printers, scanners, optical devices, and other similar technologies). The usage restrictions and implementation guidelines are based on the potential for system components to cause damage to the system and help to ensure that only authorized system use occurs.
Instructions
SC-43a.
Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and
SC-43b.
Authorize, monitor, and control the use of such components within the system.
Assessment Procedures
SC-43.1 - CCI-002559
The organization defines the information system components for which usage restrictions and implementation guidance are to be established.
SC-43.2 - CCI-002560
The organization establishes usage restrictions and implementation guidance for organization-defined information system components based on the potential to cause damage to the information system if used maliciously.
SC-43.3 - CCI-002561
The organization authorizes the use of organization-defined information system components which have the potential to cause damage to the information system if used maliciously.
SC-43.4 - CCI-002562
The organization monitors the use of organization-defined information system components which have the potential to cause damage to the information system if used maliciously.
SC-43.5 - CCI-002563
The organization controls the use of organization-defined information system components which have the potential to cause damage to the information system if used maliciously.
Related Controls
  1. AC-18 - Wireless Access
  2. AC-19 - Access Control For Mobile Devices
  3. CM-6 - Configuration Settings
  4. SC-7 - Boundary Protection
  5. SC-18 - Mobile Code
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1., "SP 800-124" https://doi.org/10.6028/NIST.SP.800-124r1
Enhancements
DETONATION CHAMBERS
RMF Control
SC-44
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator requests in the safety of an isolated environment or a virtualized sandbox. Protected and isolated execution environments provide a means of determining whether the associated attachments or applications contain malicious code. While related to the concept of deception nets, the employment of detonation chambers is not intended to maintain a long-term environment in which adversaries can operate and their actions can be observed. Rather, detonation chambers are intended to quickly identify malicious code and either reduce the likelihood that the code is propagated to user environments of operation or prevent such propagation completely.
Instructions
Employ a detonation chamber capability within [Assignment: organization-defined system, system component, or location].
Assessment Procedures
SC-44.1 - CCI-002564
The organization defines the information system, system components, or location where a detonation chamber (i.e., dynamic execution environments) capability is employed.
SC-44.2 - CCI-002565
The organization employs a detonation chamber (i.e., dynamic execution environments) capability within an organization-defined information system, system component, or location.
Related Controls
  1. SC-7 - Boundary Protection
  2. SC-18 - Mobile Code
  3. SC-25 - Thin Nodes
  4. SC-26 - Decoys
  5. SC-30 - Concealment And Misdirection
  6. SC-35 - External Malicious Code Identification
  7. SC-39 - Process Isolation
  8. SI-3 - Malicious Code Protection
  9. SI-7 - Software, Firmware, And Information Integrity
References
  1. Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1., "SP 800-177" https://doi.org/10.6028/NIST.SP.800-177r1
Enhancements
SYSTEM TIME SYNCHRONIZATION
RMF Control
SC-45
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities—such as access control and identification and authentication—depending on the nature of the mechanisms used to support the capabilities.
Instructions
Synchronize system clocks within and between systems and system components.
Assessment Procedures
Related Controls
  1. AC-3 - Access Enforcement
  2. AU-8 - Time Stamps
  3. IA-2 - Identification And Authentication (Organizational Users)
  4. IA-8 - Identification And Authentication (Non-Organizational Users)
References
  1. Internet Engineering Task Force (IETF), Request for Comments: 5905, , June 2010., "IETF 5905" https://tools.ietf.org/pdf/rfc5905.pdf
Enhancements
SC-45(1) - Synchronization With Authoritative Time Source
SC-45(2) - Secondary Authoritative Time Source
CROSS DOMAIN POLICY ENFORCEMENT
RMF Control
SC-46
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
For logical policy enforcement mechanisms, organizations avoid creating a logical path between interfaces to prevent the ability to bypass the policy enforcement mechanism. For physical policy enforcement mechanisms, the robustness of physical isolation afforded by the physical implementation of policy enforcement to preclude the presence of logical covert channels penetrating the security domain may be needed. Contact ncdsmo@nsa.gov for more information.
Instructions
Implement a policy enforcement mechanism [Selection: physically; logically] between the physical and/or network interfaces for the connecting security domains.
Assessment Procedures
Related Controls
  1. AC-4 - Information Flow Enforcement
  2. SC-7 - Boundary Protection
References
  1. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
Enhancements
ALTERNATE COMMUNICATIONS PATHS
RMF Control
SC-47
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
An incident, whether adversarial- or nonadversarial-based, can disrupt established communications paths used for system operations and organizational command and control. Alternate communications paths reduce the risk of all communications paths being affected by the same incident. To compound the problem, the inability of organizational officials to obtain timely information about disruptions or to provide timely direction to operational elements after a communications path incident, can impact the ability of the organization to respond to such incidents in a timely manner. Establishing alternate communications paths for command and control purposes, including designating alternative decision makers if primary decision makers are unavailable and establishing the extent and limitations of their actions, can greatly facilitate the organization’s ability to continue to operate and take appropriate actions during an incident.
Instructions
Establish [Assignment: organization-defined alternate communications paths] for system operations organizational command and control.
Assessment Procedures
Related Controls
  1. CP-2 - Contingency Plan
  2. CP-8 - Telecommunications Services
References
  1. Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2., "SP 800-61" https://doi.org/10.6028/NIST.SP.800-61r2
  2. Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2., "SP 800-160-2" https://doi.org/10.6028/NIST.SP.800-160v2
  3. Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010., "SP 800-34" https://doi.org/10.6028/NIST.SP.800-34r1
Enhancements
SENSOR RELOCATION
RMF Control
SC-48
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
Adversaries may take various paths and use different approaches as they move laterally through an organization (including its systems) to reach their target or as they attempt to exfiltrate information from the organization. The organization often only has a limited set of monitoring and detection capabilities, and they may be focused on the critical or likely infiltration or exfiltration paths. By using communications paths that the organization typically does not monitor, the adversary can increase its chances of achieving its desired goals. By relocating its sensors or monitoring capabilities to new locations, the organization can impede the adversary’s ability to achieve its goals. The relocation of the sensors or monitoring capabilities might be done based on threat information that the organization has acquired or randomly to confuse the adversary and make its lateral transition through the system or organization more challenging.
Instructions
Relocate [Assignment: organization-defined sensors and monitoring capabilities] to [Assignment: organization-defined locations] under the following conditions or circumstances: [Assignment: organization-defined conditions or circumstances].
Assessment Procedures
Related Controls
  1. AU-2 - Event Logging
  2. SC-7 - Boundary Protection
  3. SI-4 - System Monitoring
References
  1. Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2., "SP 800-160-2" https://doi.org/10.6028/NIST.SP.800-160v2
Enhancements
SC-48(1) - Dynamic Relocation Of Sensors Or Monitoring Capabilities
Dynamically relocate [Assignment: organization-defined sensors and monitoring capabilities] to [Assignment: organization-defined locations] under the following conditions or circumstances: [Assignment: organization-defined conditions or circumstances].
HARDWARE-ENFORCED SEPARATION AND POLICY ENFORCEMENT
RMF Control
SC-49
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
System owners may require additional strength of mechanism and robustness to ensure domain separation and policy enforcement for specific types of threats and environments of operation. Hardware-enforced separation and policy enforcement provide greater strength of mechanism than software-enforced separation and policy enforcement.
Instructions
Implement hardware-enforced separation and policy enforcement mechanisms between [Assignment: organization-defined security domains].
Assessment Procedures
Related Controls
  1. AC-4 - Information Flow Enforcement
  2. SA-8 - Security And Privacy Engineering Principles
  3. SC-50 - Software-Enforced Separation And Policy Enforcement
References
  1. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
Enhancements
SOFTWARE-ENFORCED SEPARATION AND POLICY ENFORCEMENT
RMF Control
SC-50
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
System owners may require additional strength of mechanism to ensure domain separation and policy enforcement for specific types of threats and environments of operation.
Instructions
Implement software-enforced separation and policy enforcement mechanisms between [Assignment: organization-defined security domains].
Assessment Procedures
Related Controls
  1. AC-3 - Access Enforcement
  2. AC-4 - Information Flow Enforcement
  3. SA-8 - Security And Privacy Engineering Principles
  4. SC-2 - Separation Of System And User Functionality
  5. SC-3 - Security Function Isolation
  6. SC-49 - Hardware-Enforced Separation And Policy Enforcement
References
  1. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
Enhancements
HARDWARE-BASED PROTECTION
RMF Control
SC-51
Subject Area
SYSTEM AND COMMUNICATIONS PROTECTION
Baseline Areas
NOT SELECTED
Description
None.
Instructions
SC-51a.
Employ hardware-based, write-protect for [Assignment: organization-defined system firmware components]; and
SC-51b.
Implement specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.
Assessment Procedures
Related Controls
References
Enhancements
POLICY AND PROCEDURES
RMF Control
SI-1
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
SI-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
SI-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and
SI-1c.
Review and update the current system and information integrity:
Assessment Procedures
SI-1.1 - CCI-002601
The organization defines the personnel or roles to whom the system and information integrity policy and procedures are to be disseminated.
SI-1.2 - CCI-001217
The organization develops and documents a system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
SI-1.3 - CCI-001218
The organization disseminates the system and information integrity policy to organization-defined personnel or roles.
SI-1.4 - CCI-001220
The organization develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system integrity controls.
SI-1.5 - CCI-001221
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the system and information integrity policy and associated system integrity controls.
SI-1.7 - CCI-001223
The organization defines the frequency of system and information integrity policy reviews and updates.
SI-1.6 - CCI-001219
The organization reviews and updates system and information integrity policy in accordance with organization-defined frequency.
SI-1.9 - CCI-001224
The organization defines the frequency of system and information integrity procedure reviews and updates
SI-1.8 - CCI-001222
The organization reviews and updates system and information integrity procedures in accordance with organization-defined frequency.
Related Controls
  1. PM-9 - Risk Management Strategy
  2. PS-8 - Personnel Sanctions
  3. SA-8 - Security And Privacy Engineering Principles
  4. SI-12 - Information Management And Retention
References
  1. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  2. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
  3. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
FLAW REMEDIATION
RMF Control
SI-2
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
LOW, MODERATE, HIGH
Description
The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.
Instructions
SI-2a.
Identify, report, and correct system flaws;
SI-2b.
Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
SI-2c.
Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
SI-2d.
Incorporate flaw remediation into the organizational configuration management process.
Assessment Procedures
SI-2.1 - CCI-001225
The organization identifies information system flaws.
SI-2.2 - CCI-001226
The organization reports information system flaws.
SI-2.3 - CCI-001227
The organization corrects information system flaws.
SI-2.4 - CCI-001228
The organization tests software updates related to flaw remediation for effectiveness before installation.
SI-2.5 - CCI-001229
The organization tests software updates related to flaw remediation for potential side effects before installation.
SI-2.12 - CCI-001230
The organization incorporates flaw remediation into the organizational configuration management process.
SI-2.6 - CCI-002602
The organization tests firmware updates related to flaw remediation for effectiveness before installation.
SI-2.7 - CCI-002603
The organization tests firmware updates related to flaw remediation for potential side effects before installation.
SI-2.8 - CCI-002604
The organization defines the time period within the release of updates that security-related software updates are to be installed.
SI-2.9 - CCI-002605
The organization installs security-relevant software updates within organization-defined time period of the release of the updates
SI-2.10 - CCI-002606
The organization defines the time period within the release of updates that security-related firmware updates are to be installed.
SI-2.11 - CCI-002607
The organization installs security-relevant firmware updates within organization-defined time period of the release of the updates
Related Controls
  1. CA-5 - Plan Of Action And Milestones
  2. CM-3 - Configuration Change Control
  3. CM-4 - Impact Analyses
  4. CM-5 - Access Restrictions For Change
  5. CM-6 - Configuration Settings
  6. CM-8 - System Component Inventory
  7. MA-2 - Controlled Maintenance
  8. RA-5 - Vulnerability Monitoring And Scanning
  9. SA-8 - Security And Privacy Engineering Principles
  10. SA-10 - Developer Configuration Management
  11. SA-11 - Developer Testing And Evaluation
  12. SI-3 - Malicious Code Protection
  13. SI-5 - Security Alerts, Advisories, And Directives
  14. SI-7 - Software, Firmware, And Information Integrity
  15. SI-11 - Error Handling
References
  1. Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019., "SP 800-128" https://doi.org/10.6028/NIST.SP.800-128
  2. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  3. National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4., "FIPS 186-4" https://doi.org/10.6028/NIST.FIPS.186-4
  4. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
  5. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  6. Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788., "IR 7788" https://doi.org/10.6028/NIST.IR.7788
  7. Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3., "SP 800-40" https://doi.org/10.6028/NIST.SP.800-40r3
Enhancements
SI-2(1) - Central Management
[Withdrawn: Incorporated into PL-9].
SI-2(2) - Automated Flaw Remediation Status
Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency].
SI-2(3) - Time To Remediate Flaws And Benchmarks For Corrective Actions
SI-2(4) - Automated Patch Management Tools
Employ automated patch management tools to facilitate flaw remediation to the following system components: [Assignment: organization-defined system components].
SI-2(5) - Automatic Software And Firmware Updates
Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components].
SI-2(6) - Removal Of Previous Versions Of Software And Firmware
Remove previous versions of [Assignment: organization-defined software and firmware components] after updated versions have been installed.
MALICIOUS CODE PROTECTION
RMF Control
SI-3
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
LOW, MODERATE, HIGH
Description
System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions. In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files.
Instructions
SI-3a.
Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
SI-3b.
Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;
SI-3c.
Configure malicious code protection mechanisms to:
SI-3d.
Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
Assessment Procedures
SI-3.1 - CCI-002619
The organization employs malicious code protection mechanisms at information system entry points to detect malicious code.
SI-3.3 - CCI-002621
The organization employs malicious code protection mechanisms at information system entry points to eradicate malicious code.
SI-3.2 - CCI-002620
The organization employs malicious code protection mechanisms at information system exit points to detect malicious code.
SI-3.4 - CCI-002622
The organization employs malicious code protection mechanisms at information system exit points to eradicate malicious code.
SI-3.5 - CCI-001240
The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
SI-3.6 - CCI-002623
The organization defines the frequency for performing periodic scans of the information system for malicious code.
SI-3.7 - CCI-002624
The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy.
SI-3.9 - CCI-001242
The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.
SI-3.8 - CCI-001241
The organization configures malicious code protection mechanisms to perform periodic scans of the information system on an organization-defined frequency.
SI-3.11 - CCI-001244
The organization defines one or more actions to perform in response to malicious code detection, such as blocking malicious code, quarantining malicious code, or sending alert to administrator.
SI-3.10 - CCI-001243
The organization configures malicious code protection mechanisms to perform organization-defined action(s) in response to malicious code detection.
SI-3.12 - CCI-001245
The organization addresses the receipt of false positives during malicious code detection and eradication, and the resulting potential impact on the availability of the information system.
Related Controls
  1. AC-4 - Information Flow Enforcement
  2. AC-19 - Access Control For Mobile Devices
  3. CM-3 - Configuration Change Control
  4. CM-8 - System Component Inventory
  5. IR-4 - Incident Handling
  6. MA-3 - Maintenance Tools
  7. MA-4 - Nonlocal Maintenance
  8. PL-9 - Central Management
  9. RA-5 - Vulnerability Monitoring And Scanning
  10. SC-7 - Boundary Protection
  11. SC-23 - Session Authenticity
  12. SC-26 - Decoys
  13. SC-28 - Protection Of Information At Rest
  14. SC-44 - Detonation Chambers
  15. SI-2 - Flaw Remediation
  16. SI-4 - System Monitoring
  17. SI-7 - Software, Firmware, And Information Integrity
  18. SI-8 - Spam Protection
  19. SI-15 - Information Output Filtering
References
  1. Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B., "SP 800-125B" https://doi.org/10.6028/NIST.SP.800-125B
  2. Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1., "SP 800-177" https://doi.org/10.6028/NIST.SP.800-177r1
  3. Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1., "SP 800-83" https://doi.org/10.6028/NIST.SP.800-83r1
Enhancements
SI-3(1) - Central Management
[Withdrawn: Incorporated into PL-9].
SI-3(2) - Automatic Updates
[Withdrawn: Incorporated into SI-3].
SI-3(3) - Non-Privileged Users
[Withdrawn: Incorporated into AC-6(10)].
SI-3(4) - Updates Only By Privileged Users
Update malicious code protection mechanisms only when directed by a privileged user.
SI-3(5) - Portable Storage Devices
[Withdrawn: Incorporated into MP-7].
SI-3(6) - Testing And Verification
SI-3(7) - Nonsignature-Based Detection
[Withdrawn: Incorporated into SI-3].
SI-3(8) - Detect Unauthorized Commands
SI-3(9) - Authenticate Remote Commands
[Withdrawn: Moved to AC-17(10)].
SI-3(10) - Malicious Code Analysis
SYSTEM MONITORING
RMF Control
SI-4
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
LOW, MODERATE, HIGH
Description
System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
Instructions
SI-4a.
Monitor the system to detect:
SI-4b.
Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods];
SI-4c.
Invoke internal monitoring capabilities or deploy monitoring devices:
SI-4d.
Analyze detected events and anomalies;
SI-4e.
Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;
SI-4f.
Obtain legal opinion regarding system monitoring activities; and
SI-4g.
Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].
Assessment Procedures
SI-4.1 - CCI-001253
The organization defines the objectives of monitoring for attacks and indicators of potential attacks on the information system.
SI-4.2 - CCI-002641
The organization monitors the information system to detect attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives.
SI-4.3 - CCI-002642
The organization monitors the information system to detect unauthorized local connections.
SI-4.4 - CCI-002643
The organization monitors the information system to detect unauthorized network connections.
SI-4.5 - CCI-002644
The organization monitors the information system to detect unauthorized remote connections.
SI-4.6 - CCI-002645
The organization defines the techniques and methods to be used to identify unauthorized use of the information system.
SI-4.7 - CCI-002646
The organization identifies unauthorized use of the information system through organization-defined techniques and methods.
SI-4.8 - CCI-001255
The organization deploys monitoring devices strategically within the information system to collect organization determined essential information.
SI-4.9 - CCI-001256
The organization deploys monitoring devices at ad hoc locations within the system to track specific types of transactions of interest to the organization.
SI-4.10 - CCI-002647
The organization protects information obtained from intrusion-monitoring tools from unauthorized access.
SI-4.11 - CCI-002648
The organization protects information obtained from intrusion-monitoring tools from unauthorized modification.
SI-4.12 - CCI-002649
The organization protects information obtained from intrusion-monitoring tools from unauthorized deletion.
SI-4.13 - CCI-001257
The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information.
SI-4.14 - CCI-001258
The organization obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.
SI-4.15 - CCI-002650
The organization defines the information system monitoring information that is to be provided the organization-defined personnel or roles.
SI-4.16 - CCI-002651
The organization defines the personnel or roles that are to be provided organization-defined information system monitoring information.
SI-4.17 - CCI-002652
The organization defines the frequency at which the organization will provide the organization-defined information system monitoring information to organization-defined personnel or roles
SI-4.18 - CCI-002654
The organization provides organization-defined information system monitoring information to organization-defined personnel or roles as needed or per organization-defined frequency.
Related Controls
  1. AC-2 - Account Management
  2. AC-3 - Access Enforcement
  3. AC-4 - Information Flow Enforcement
  4. AC-8 - System Use Notification
  5. AC-17 - Remote Access
  6. AU-2 - Event Logging
  7. AU-6 - Audit Record Review, Analysis, And Reporting
  8. AU-7 - Audit Record Reduction And Report Generation
  9. AU-9 - Protection Of Audit Information
  10. AU-12 - Audit Record Generation
  11. AU-13 - Monitoring For Information Disclosure
  12. AU-14 - Session Audit
  13. CA-7 - Continuous Monitoring
  14. CM-3 - Configuration Change Control
  15. CM-6 - Configuration Settings
  16. CM-8 - System Component Inventory
  17. CM-11 - User-Installed Software
  18. IA-10 - Adaptive Authentication
  19. IR-4 - Incident Handling
  20. MA-3 - Maintenance Tools
  21. MA-4 - Nonlocal Maintenance
  22. PL-9 - Central Management
  23. PM-12 - Insider Threat Program
  24. RA-5 - Vulnerability Monitoring And Scanning
  25. RA-10 - Threat Hunting
  26. SC-5 - Denial-Of-Service Protection
  27. SC-7 - Boundary Protection
  28. SC-18 - Mobile Code
  29. SC-26 - Decoys
  30. SC-31 - Covert Channel Analysis
  31. SC-35 - External Malicious Code Identification
  32. SC-36 - Distributed Processing And Storage
  33. SC-37 - Out-Of-Band Channels
  34. SC-43 - Usage Restrictions
  35. SI-3 - Malicious Code Protection
  36. SI-6 - Security And Privacy Function Verification
  37. SI-7 - Software, Firmware, And Information Integrity
  38. SR-9 - Tamper Resistance And Detection
  39. SR-10 - Inspection Of Systems Or Components
References
  1. Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2., "SP 800-61" https://doi.org/10.6028/NIST.SP.800-61r2
  2. Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137., "SP 800-137" https://doi.org/10.6028/NIST.SP.800-137
  3. Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92., "SP 800-92" https://doi.org/10.6028/NIST.SP.800-92
  4. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
  5. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  6. Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94., "SP 800-94" https://doi.org/10.6028/NIST.SP.800-94
  7. Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1., "SP 800-83" https://doi.org/10.6028/NIST.SP.800-83r1
Enhancements
SI-4(1) - System-Wide Intrusion Detection System
Connect and configure individual intrusion detection tools into a system-wide intrusion detection system.
SI-4(2) - Automated Tools And Mechanisms For Real-Time Analysis
Employ automated tools and mechanisms to support near real-time analysis of events.
SI-4(3) - Automated Tool And Mechanism Integration
Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms.
SI-4(4) - Inbound And Outbound Communications Traffic
SI-4(5) - System-Generated Alerts
Alert [Assignment: organization-defined personnel or roles] when the following system-generated indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].
SI-4(6) - Restrict Non-Privileged Users
[Withdrawn: Incorporated into AC-6(10)].
SI-4(7) - Automated Response To Suspicious Events
SI-4(8) - Protection Of Monitoring Information
[Withdrawn: Incorporated into SI-4].
SI-4(9) - Testing Of Monitoring Tools And Mechanisms
Test intrusion-monitoring tools and mechanisms [Assignment: organization-defined frequency].
SI-4(10) - Visibility Of Encrypted Communications
Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms].
SI-4(11) - Analyze Communications Traffic Anomalies
Analyze outbound communications traffic at the external interfaces to the system and selected [Assignment: organization-defined interior points within the system] to discover anomalies.
SI-4(12) - Automated Organization-Generated Alerts
Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts].
SI-4(13) - Analyze Traffic And Event Patterns
SI-4(14) - Wireless Intrusion Detection
Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.
SI-4(15) - Wireless To Wireline Communications
Employ an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.
SI-4(16) - Correlate Monitoring Information
Correlate information from monitoring tools and mechanisms employed throughout the system.
SI-4(17) - Integrated Situational Awareness
Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.
SI-4(18) - Analyze Traffic And Covert Exfiltration
Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: [Assignment: organization-defined interior points within the system].
SI-4(19) - Risk For Individuals
Implement [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk.
SI-4(20) - Privileged Users
Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring].
SI-4(21) - Probationary Periods
Implement the following additional monitoring of individuals during [Assignment: organization-defined probationary period]: [Assignment: organization-defined additional monitoring].
SI-4(22) - Unauthorized Network Services
SI-4(23) - Host-Based Devices
Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms].
SI-4(24) - Indicators Of Compromise
Discover, collect, and distribute to [Assignment: organization-defined personnel or roles], indicators of compromise provided by [Assignment: organization-defined sources].
SI-4(25) - Optimize Network Traffic Analysis
Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices.
SECURITY ALERTS, ADVISORIES, AND DIRECTIVES
RMF Control
SI-5
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
LOW, MODERATE, HIGH
Description
The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations.
Instructions
SI-5a.
Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
SI-5b.
Generate internal security alerts, advisories, and directives as deemed necessary;
SI-5c.
Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
SI-5d.
Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.
Assessment Procedures
SI-5.2 - CCI-002692
The organization defines the external organizations from which it receives information system security alerts, advisories and directives.
SI-5.1 - CCI-001285
The organization receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis.
SI-5.3 - CCI-001286
The organization generates internal security alerts, advisories, and directives as deemed necessary.
SI-5.5 - CCI-001288
The organization defines the personnel or roles to whom the organization will disseminate security alerts, advisories and directives.
SI-5.6 - CCI-002693
The organization defines the elements within the organization to whom the organization will disseminate security alerts, advisories and directives.
SI-5.7 - CCI-002694
The organization defines the external organizations to whom the organization will disseminate security alerts, advisories and directives.
SI-5.4 - CCI-001287
The organization disseminates security alerts, advisories, and directives to organization-defined personnel or roles, organization-defined elements within the organization, and/or organization-defined external organizations.
SI-5.8 - CCI-001289
The organization implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.
Related Controls
  1. PM-15 - Security And Privacy Groups And Associations
  2. RA-5 - Vulnerability Monitoring And Scanning
  3. SI-2 - Flaw Remediation
References
  1. Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3., "SP 800-40" https://doi.org/10.6028/NIST.SP.800-40r3
Enhancements
SI-5(1) - Automated Alerts And Advisories
Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms].
SECURITY AND PRIVACY FUNCTION VERIFICATION
RMF Control
SI-6
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
HIGH
Description
Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy or that privacy attributes are applied or used as expected.
Instructions
SI-6a.
Verify the correct operation of [Assignment: organization-defined security and privacy functions];
SI-6b.
Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
SI-6c.
Alert [Assignment: organization-defined personnel or roles] to failed security and privacy verification tests; and
SI-6d.
[Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered.
Assessment Procedures
SI-6.1 - CCI-002695
The organization defines the security functions that require verification of correct operation.
SI-6.2 - CCI-002696
The information system verifies correct operation of organization-defined security functions.
SI-6.4 - CCI-002698
The organization defines the system transitional states when the information system will verify correct operation of organization-defined security functions.
SI-6.3 - CCI-002697
The organization defines the frequency at which it will verify correct operation of organization-defined security functions.
SI-6.5 - CCI-002699
The information system performs verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency.
SI-6.7 - CCI-002700
The organization defines the personnel or roles to be notified when security verification tests fail.
SI-6.8 - CCI-002701
The organization defines alternative action(s) to be taken when the information system discovers anomalies in the operation of organization-defined security functions.
SI-6.6 - CCI-001294
The information system notifies organization-defined personnel or roles of failed security verification tests.
SI-6.9 - CCI-002702
The information system shuts the information system down, restarts the information system, and/or initiates organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered.
Related Controls
  1. CA-7 - Continuous Monitoring
  2. CM-4 - Impact Analyses
  3. CM-6 - Configuration Settings
  4. SI-7 - Software, Firmware, And Information Integrity
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
SI-6(1) - Notification Of Failed Security Tests
[Withdrawn: Incorporated into SI-6].
SI-6(2) - Automation Support For Distributed Testing
Implement automated mechanisms to support the management of distributed security and privacy function testing.
SI-6(3) - Report Verification Results
Report the results of security and privacy function verification to [Assignment: organization-defined personnel or roles].
SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
RMF Control
SI-7
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
MODERATE, HIGH
Description
Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications.
Instructions
SI-7a.
Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and
SI-7b.
Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions].
Assessment Procedures
SI-7.1 - CCI-002703
The organization defines the software, firmware, and information which will be subjected to integrity verification tools to detect unauthorized changes.
SI-7.2 - CCI-002704
The organization employs integrity verification tools to detect unauthorized changes to organization-defined software, firmware, and information.
Related Controls
  1. AC-4 - Information Flow Enforcement
  2. CM-3 - Configuration Change Control
  3. CM-7 - Least Functionality
  4. CM-8 - System Component Inventory
  5. MA-3 - Maintenance Tools
  6. MA-4 - Nonlocal Maintenance
  7. RA-5 - Vulnerability Monitoring And Scanning
  8. SA-8 - Security And Privacy Engineering Principles
  9. SA-9 - External System Services
  10. SA-10 - Developer Configuration Management
  11. SC-8 - Transmission Confidentiality And Integrity
  12. SC-12 - Cryptographic Key Establishment And Management
  13. SC-13 - Cryptographic Protection
  14. SC-28 - Protection Of Information At Rest
  15. SC-37 - Out-Of-Band Channels
  16. SI-3 - Malicious Code Protection
  17. SR-3 - Supply Chain Controls And Processes
  18. SR-4 - Provenance
  19. SR-5 - Acquisition Strategies, Tools, And Methods
  20. SR-6 - Supplier Assessments And Reviews
  21. SR-9 - Tamper Resistance And Detection
  22. SR-10 - Inspection Of Systems Or Components
  23. SR-11 - Component Authenticity
References
  1. Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147., "SP 800-147" https://doi.org/10.6028/NIST.SP.800-147
  2. National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4., "FIPS 186-4" https://doi.org/10.6028/NIST.FIPS.186-4
  3. National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4., "FIPS 180-4" https://doi.org/10.6028/NIST.FIPS.180-4
  4. National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202., "FIPS 202" https://doi.org/10.6028/NIST.FIPS.202
  5. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
  6. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  7. Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4., "SP 800-70" https://doi.org/10.6028/NIST.SP.800-70r4
Enhancements
SI-7(1) - Integrity Checks
Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]].
SI-7(2) - Automated Notifications Of Integrity Violations
Employ automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification.
SI-7(3) - Centrally Managed Integrity Tools
Employ centrally managed integrity verification tools.
SI-7(4) - Tamper-Evident Packaging
[Withdrawn: Incorporated into SR-9].
SI-7(5) - Automated Response To Integrity Violations
Automatically [Selection (one or more): shut the system down; restart the system; implement [Assignment: organization-defined controls]] when integrity violations are discovered.
SI-7(6) - Cryptographic Protection
Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.
SI-7(7) - Integration Of Detection And Response
Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system].
SI-7(8) - Auditing Capability For Significant Events
Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]].
SI-7(9) - Verify Boot Process
Verify the integrity of the boot process of the following system components: [Assignment: organization-defined system components].
SI-7(10) - Protection Of Boot Firmware
Implement the following mechanisms to protect the integrity of boot firmware in [Assignment: organization-defined system components]: [Assignment: organization-defined mechanisms].
SI-7(11) - Confined Environments With Limited Privileges
[Withdrawn: Moved to CM-7(6)].
SI-7(12) - Integrity Verification
Require that the integrity of the following user-installed software be verified prior to execution: [Assignment: organization-defined user-installed software].
SI-7(13) - Code Execution In Protected Environments
[Withdrawn: Moved to CM-7(7)].
SI-7(14) - Binary Or Machine Executable Code
[Withdrawn: Moved to CM-7(8)].
SI-7(15) - Code Authentication
Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: [Assignment: organization-defined software or firmware components].
SI-7(16) - Time Limit On Process Execution Without Supervision
Prohibit processes from executing without supervision for more than [Assignment: organization-defined time period].
SI-7(17) - Runtime Application Self-Protection
Implement [Assignment: organization-defined controls] for application self-protection at runtime.
SPAM PROTECTION
RMF Control
SI-8
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
MODERATE, HIGH
Description
System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions.
Instructions
SI-8a.
Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and
SI-8b.
Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.
Assessment Procedures
SI-8.1 - CCI-002741
The organization employs spam protection mechanisms at information system entry points to detect and take action on unsolicited messages.
SI-8.2 - CCI-002742
The organization employs spam protection mechanisms at information system exit points to detect and take action on unsolicited messages.
SI-8.3 - CCI-001306
The organization updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.
Related Controls
  1. PL-9 - Central Management
  2. SC-5 - Denial-Of-Service Protection
  3. SC-7 - Boundary Protection
  4. SC-38 - Operations Security
  5. SI-3 - Malicious Code Protection
  6. SI-4 - System Monitoring
References
  1. Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1., "SP 800-177" https://doi.org/10.6028/NIST.SP.800-177r1
  2. Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2., "SP 800-45" https://doi.org/10.6028/NIST.SP.800-45ver2
Enhancements
SI-8(1) - Central Management
[Withdrawn: Incorporated into PL-9].
SI-8(2) - Automatic Updates
Automatically update spam protection mechanisms [Assignment: organization-defined frequency].
SI-8(3) - Continuous Learning Capability
Implement spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.
INFORMATION INPUT RESTRICTIONS
RMF Control
SI-9
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
Description
Instructions
[Withdrawn: Incorporated into AC-2, AC-3, AC-5, AC-6].
Assessment Procedures
Related Controls
References
Enhancements
INFORMATION INPUT VALIDATION
RMF Control
SI-10
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
MODERATE, HIGH
Description
Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, abc, or %K% are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks.
Instructions
Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system].
Assessment Procedures
SI-10.2 - CCI-002744
The organization defines the inputs the information system is to conduct validity checks.
SI-10.1 - CCI-001310
The information system checks the validity of organization-defined inputs.
Related Controls
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
SI-10(1) - Manual Override Capability
SI-10(2) - Review And Resolve Errors
Review and resolve input validation errors within [Assignment: organization-defined time period].
SI-10(3) - Predictable Behavior
Verify that the system behaves in a predictable and documented manner when invalid inputs are received.
SI-10(4) - Timing Interactions
Account for timing interactions among system components in determining appropriate responses for invalid inputs.
SI-10(5) - Restrict Inputs To Trusted Sources And Approved Formats
Restrict the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats].
SI-10(6) - Injection Prevention
Prevent untrusted data injections.
ERROR HANDLING
RMF Control
SI-11
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
MODERATE, HIGH
Description
Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information.
Instructions
SI-11a.
Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and
SI-11b.
Reveal error messages only to [Assignment: organization-defined personnel or roles].
Assessment Procedures
SI-11.1 - CCI-001312
The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
SI-11.3 - CCI-002759
The organization defines the personnel or roles to whom error messages are to be revealed.
SI-11.2 - CCI-001314
The information system reveals error messages only to organization-defined personnel or roles.
Related Controls
  1. AU-2 - Event Logging
  2. AU-3 - Content Of Audit Records
  3. SC-31 - Covert Channel Analysis
  4. SI-2 - Flaw Remediation
  5. SI-15 - Information Output Filtering
References
Enhancements
INFORMATION MANAGEMENT AND RETENTION
RMF Control
SI-12
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
LOW, MODERATE, HIGH, PRIVACY
Description
Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, AC-6(9), AT-4, AU-12, CA-2, CA-3, CA-5, CA-6, CA-7, CA-8, CA-9, CM-2, CM-3, CM-4, CM-6, CM-8, CM-9, CM-12, CM-13, CP-2, IR-6, IR-8, MA-2, MA-4, PE-2, PE-8, PE-16, PE-17, PL-2, PL-4, PL-7, PL-8, PM-5, PM-8, PM-9, PM-18, PM-21, PM-27, PM-28, PM-30, PM-31, PS-2, PS-6, PS-7, PT-2, PT-3, PT-7, RA-2, RA-3, RA-5, RA-8, SA-4, SA-5, SA-8, SA-10, SI-4, SR-2, SR-4, SR-8.
Instructions
Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.
Assessment Procedures
SI-12.1 - CCI-001315
The organization handles information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
SI-12.2 - CCI-001678
The organization retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
Related Controls
  1. AC-16 - Security And Privacy Attributes
  2. AU-5 - Response To Audit Logging Process Failures
  3. AU-11 - Audit Record Retention
  4. CA-2 - Control Assessments
  5. CA-3 - Information Exchange
  6. CA-5 - Plan Of Action And Milestones
  7. CA-6 - Authorization
  8. CA-7 - Continuous Monitoring
  9. CA-9 - Internal System Connections
  10. CM-5 - Access Restrictions For Change
  11. CM-9 - Configuration Management Plan
  12. CP-2 - Contingency Plan
  13. IR-8 - Incident Response Plan
  14. MP-2 - Media Access
  15. MP-3 - Media Marking
  16. MP-4 - Media Storage
  17. MP-6 - Media Sanitization
  18. PL-2 - System Security And Privacy Plans
  19. PL-4 - Rules Of Behavior
  20. PM-4 - Plan Of Action And Milestones Process
  21. PM-8 - Critical Infrastructure Plan
  22. PM-9 - Risk Management Strategy
  23. PS-2 - Position Risk Designation
  24. PS-6 - Access Agreements
  25. PT-2 - Authority To Process Personally Identifiable Information
  26. PT-3 - Personally Identifiable Information Processing Purposes
  27. RA-2 - Security Categorization
  28. RA-3 - Risk Assessment
  29. SA-5 - System Documentation
  30. SA-8 - Security And Privacy Engineering Principles
  31. SR-2 - Supply Chain Risk Management Plan
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. United States Code, 2008 Edition, Title 44 - , Chapters 29, 31, and 33, January 2012., "USC 2901" https://www.govinfo.gov/content/pkg/USCODE-2011-ti
Enhancements
SI-12(1) - Limit Personally Identifiable Information Elements
Limit personally identifiable information being processed in the information life cycle to the following elements of personally identifiable information: [Assignment: organization-defined elements of personally identifiable information].
SI-12(2) - Minimize Personally Identifiable Information In Testing, Training, And Research
Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: [Assignment: organization-defined techniques].
SI-12(3) - Information Disposal
Use the following techniques to dispose of, destroy, or erase information following the retention period: [Assignment: organization-defined techniques].
PREDICTABLE FAILURE PREVENTION
RMF Control
SI-13
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
NOT SELECTED
Description
While MTTF is primarily a reliability issue, predictable failure prevention is intended to address potential failures of system components that provide security capabilities. Failure rates reflect installation-specific consideration rather than the industry-average. Organizations define the criteria for the substitution of system components based on the MTTF value with consideration for the potential harm from component failures. The transfer of responsibilities between active and standby components does not compromise safety, operational readiness, or security capabilities. The preservation of system state variables is also critical to help ensure a successful transfer process. Standby components remain available at all times except for maintenance issues or recovery failures in progress.
Instructions
SI-13a.
Determine mean time to failure (MTTF) for the following system components in specific environments of operation: [Assignment: organization-defined system components]; and
SI-13b.
Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: [Assignment: organization-defined MTTF substitution criteria].
Assessment Procedures
SI-13.2 - CCI-002761
The organization defines the system components in specific environments of operation for which the mean time to failure (MTTF) is to be determined.
SI-13.1 - CCI-002760
The organization determines mean time to failure (MTTF) for organization-defined information system components in specific environments of operation.
SI-13.4 - CCI-002762
The organization defines the mean time to failure substitution criteria to be employed as a means to determine the need to exchange active and standby components.
SI-13.3 - CCI-001318
The organization provides substitute information system components.
SI-13.5 - CCI-002763
The organization provides a means to exchange active and standby components in accordance with the organization-defined mean time to failure substitution criteria.
Related Controls
  1. CP-2 - Contingency Plan
  2. CP-10 - System Recovery And Reconstitution
  3. CP-13 - Alternative Security Mechanisms
  4. MA-2 - Controlled Maintenance
  5. MA-6 - Timely Maintenance
  6. SA-8 - Security And Privacy Engineering Principles
  7. SC-6 - Resource Availability
References
Enhancements
SI-13(1) - Transferring Component Responsibilities
Take system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure.
SI-13(2) - Time Limit On Process Execution Without Supervision
[Withdrawn: Incorporated into SI-7(16)].
SI-13(3) - Manual Transfer Between Components
Manually initiate transfers between active and standby system components when the use of the active component reaches [Assignment: organization-defined percentage] of the mean time to failure.
SI-13(4) - Standby Component Installation And Notification
If system component failures are detected:
SI-13(5) - Failover Capability
Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system.
NON-PERSISTENCE
RMF Control
SI-14
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
NOT SELECTED
Description
Implementation of non-persistent components and services mitigates risk from advanced persistent threats (APTs) by reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. By implementing the concept of non-persistence for selected system components, organizations can provide a trusted, known state computing resource for a specific time period that does not give adversaries sufficient time to exploit vulnerabilities in organizational systems or operating environments. Since the APT is a high-end, sophisticated threat with regard to capability, intent, and targeting, organizations assume that over an extended period, a percentage of attacks will be successful. Non-persistent system components and services are activated as required using protected information and terminated periodically or at the end of sessions. Non-persistence increases the work factor of adversaries attempting to compromise or breach organizational systems. Non-persistence can be achieved by refreshing system components, periodically reimaging components, or using a variety of common virtualization techniques. Non-persistent services can be implemented by using virtualization techniques as part of virtual machines or as new instances of processes on physical machines (either persistent or non-persistent). The benefit of periodic refreshes of system components and services is that it does not require organizations to first determine whether compromises of components or services have occurred (something that may often be difficult to determine). The refresh of selected system components and services occurs with sufficient frequency to prevent the spread or intended impact of attacks, but not with such frequency that it makes the system unstable. Refreshes of critical components and services may be done periodically to hinder the ability of adversaries to exploit optimum windows of vulnerabilities.
Instructions
Implement non-persistent [Assignment: organization-defined system components and services] that are initiated in a known state and terminated [Selection (one or more): upon end of session of use; periodically at [Assignment: organization-defined frequency]].
Assessment Procedures
SI-14.1 - CCI-002764
The organization defines non-persistent information system components and services to be implemented.
SI-14.2 - CCI-002765
The organization defines the frequency at which it will terminate organization-defined non-persistent information system components and services.
SI-14.3 - CCI-002766
The organization implements organization-defined non-persistence information system components and services that are initiated in a known state.
SI-14.4 - CCI-002767
The organization implements organization-defined non-persistence information system components and services that are terminated upon end of session of use and/or periodically at organization-defined frequency.
Related Controls
  1. SC-30 - Concealment And Misdirection
  2. SC-34 - Non-Modifiable Executable Programs
  3. SI-21 - Information Refresh
References
Enhancements
SI-14(1) - Refresh From Trusted Sources
Obtain software and data employed during system component and service refreshes from the following trusted sources: [Assignment: organization-defined trusted sources].
SI-14(2) - Non-Persistent Information
SI-14(3) - Non-Persistent Connectivity
Establish connections to the system on demand and terminate connections after [Selection: completion of a request; a period of non-use].
INFORMATION OUTPUT FILTERING
RMF Control
SI-15
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
NOT SELECTED
Description
Certain types of attacks, including SQL injections, produce output results that are unexpected or inconsistent with the output results that would be expected from software programs or applications. Information output filtering focuses on detecting extraneous content, preventing such extraneous content from being displayed, and then alerting monitoring tools that anomalous behavior has been discovered.
Instructions
Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: [Assignment: organization-defined software programs and/or applications].
Assessment Procedures
SI-15.1 - CCI-002770
The organization defines the software programs and/or applications from which the information system is to validate the information output to ensure the information is consistent with expected content.
SI-15.2 - CCI-002771
The information system validates information output from organization-defined software programs and/or applications to ensure that the information is consistent with the expected content.
Related Controls
  1. SI-3 - Malicious Code Protection
  2. SI-4 - System Monitoring
  3. SI-11 - Error Handling
References
Enhancements
MEMORY PROTECTION
RMF Control
SI-16
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
MODERATE, HIGH
Description
Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism.
Instructions
Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls].
Assessment Procedures
SI-16.1 - CCI-002823
The organization defines the security safeguards to be implemented to protect the information system's memory from unauthorized code execution.
SI-16.2 - CCI-002824
The information system implements organization-defined security safeguards to protect its memory from unauthorized code execution.
Related Controls
  1. AC-25 - Reference Monitor
  2. SC-3 - Security Function Isolation
  3. SI-7 - Software, Firmware, And Information Integrity
References
Enhancements
FAIL-SAFE PROCEDURES
RMF Control
SI-17
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
NOT SELECTED
Description
Failure conditions include the loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include alerting operator personnel and providing specific instructions on subsequent steps to take. Subsequent steps may include doing nothing, reestablishing system settings, shutting down processes, restarting the system, or contacting designated organizational personnel.
Instructions
Implement the indicated fail-safe procedures when the indicated failures occur: [Assignment: organization-defined list of failure conditions and associated fail-safe procedures].
Assessment Procedures
SI-17.1 - CCI-002773
The organization defines the fail-safe procedures to be implemented by the information system when organization-defined failure conditions occur.
SI-17.2 - CCI-002774
The organization defines the failure conditions which, when they occur, will result in the information system implementing organization-defined fail-safe procedures.
SI-17.3 - CCI-002775
The information system implements organization-defined fail-safe procedures when organization-defined failure conditions occur.
Related Controls
  1. CP-12 - Safe Mode
  2. CP-13 - Alternative Security Mechanisms
  3. SC-24 - Fail In Known State
  4. SI-13 - Predictable Failure Prevention
References
Enhancements
PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS
RMF Control
SI-18
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
NOT SELECTED, PRIVACY
Description
Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and the potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes.
Instructions
SI-18a.
Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [Assignment: organization-defined frequency]; and
SI-18b.
Correct or delete inaccurate or outdated personally identifiable information.
Assessment Procedures
Related Controls
  1. PM-22 - Personally Identifiable Information Quality Management
  2. PM-24 - Data Integrity Board
  3. PT-2 - Authority To Process Personally Identifiable Information
  4. SI-4 - System Monitoring
References
  1. Garfinkel S (2016) De-Identifying Government Datasets. (National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188., "SP 800-188" https://csrc.nist.gov/publications/detail/sp/800-1
  2. Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112., "IR 8112" https://doi.org/10.6028/NIST.IR.8112
  3. Office of Management and Budget Memorandum M-19-15, , April 2019., "OMB M-19-15" https://www.whitehouse.gov/wp-content/uploads/2019
Enhancements
SI-18(1) - Automation Support
Correct or delete personally identifiable information that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified using [Assignment: organization-defined automated mechanisms].
SI-18(2) - Data Tags
Employ data tags to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems.
SI-18(3) - Collection
Collect personally identifiable information directly from the individual.
SI-18(4) - Individual Requests
Correct or delete personally identifiable information upon request by individuals or their designated representatives.
SI-18(5) - Notice Of Correction Or Deletion
Notify [Assignment: organization-defined recipients of personally identifiable information] and individuals that the personally identifiable information has been corrected or deleted.
DE-IDENTIFICATION
RMF Control
SI-19
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
NOT SELECTED, PRIVACY
Description
De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk.
Instructions
SI-19a.
Remove the following elements of personally identifiable information from datasets: [Assignment: organization-defined elements of personally identifiable information]; and
SI-19b.
Evaluate [Assignment: organization-defined frequency] for effectiveness of de-identification.
Assessment Procedures
Related Controls
  1. MP-6 - Media Sanitization
  2. PM-22 - Personally Identifiable Information Quality Management
  3. PM-23 - Data Governance Body
  4. PM-24 - Data Integrity Board
  5. RA-2 - Security Categorization
  6. SI-12 - Information Management And Retention
References
  1. Garfinkel S (2016) De-Identifying Government Datasets. (National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188., "SP 800-188" https://csrc.nist.gov/publications/detail/sp/800-1
  2. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
Enhancements
SI-19(1) - Collection
De-identify the dataset upon collection by not collecting personally identifiable information.
SI-19(2) - Archiving
Prohibit archiving of personally identifiable information elements if those elements in a dataset will not be needed after the dataset is archived.
SI-19(3) - Release
Remove personally identifiable information elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.
SI-19(4) - Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers
Remove, mask, encrypt, hash, or replace direct identifiers in a dataset.
SI-19(5) - Statistical Disclosure Control
Manipulate numerical data, contingency tables, and statistical findings so that no individual or organization is identifiable in the results of the analysis.
SI-19(6) - Differential Privacy
Prevent disclosure of personally identifiable information by adding non-deterministic noise to the results of mathematical operations before the results are reported.
SI-19(7) - Validated Algorithms And Software
Perform de-identification using validated algorithms and software that is validated to implement the algorithms.
SI-19(8) - Motivated Intruder
Perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.
TAINTING
RMF Control
SI-20
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
NOT SELECTED
Description
Many cyber-attacks target organizational information, or information that the organization holds on behalf of other entities (e.g., personally identifiable information), and exfiltrate that data. In addition, insider attacks and erroneous user procedures can remove information from the system that is in violation of the organizational policies. Tainting approaches can range from passive to active. A passive tainting approach can be as simple as adding false email names and addresses to an internal database. If the organization receives email at one of the false email addresses, it knows that the database has been compromised. Moreover, the organization knows that the email was sent by an unauthorized entity, so any packets it includes potentially contain malicious code, and that the unauthorized entity may have potentially obtained a copy of the database. Another tainting approach can include embedding false data or steganographic data in files to enable the data to be found via open-source analysis. Finally, an active tainting approach can include embedding software in the data that is able to call home, thereby alerting the organization to its capture, and possibly its location, and the path by which it was exfiltrated or removed.
Instructions
Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: [Assignment: organization-defined systems or system components].
Assessment Procedures
Related Controls
  1. AU-13 - Monitoring For Information Disclosure
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2., "SP 800-160-2" https://doi.org/10.6028/NIST.SP.800-160v2
Enhancements
INFORMATION REFRESH
RMF Control
SI-21
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
NOT SELECTED
Description
Retaining information for longer than it is needed makes it an increasingly valuable and enticing target for adversaries. Keeping information available for the minimum period of time needed to support organizational missions or business functions reduces the opportunity for adversaries to compromise, capture, and exfiltrate that information.
Instructions
Refresh [Assignment: organization-defined information] at [Assignment: organization-defined frequencies] or generate the information on demand and delete the information when no longer needed.
Assessment Procedures
Related Controls
  1. SI-14 - Non-Persistence
References
  1. Office of Management and Budget Memorandum Circular A-130, , July 2016., "OMB A-130" https://www.whitehouse.gov/sites/whitehouse.gov/fi
  2. Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2., "SP 800-160-2" https://doi.org/10.6028/NIST.SP.800-160v2
Enhancements
INFORMATION DIVERSITY
RMF Control
SI-22
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
NOT SELECTED
Description
Actions taken by a system service or a function are often driven by the information it receives. Corruption, fabrication, modification, or deletion of that information could impact the ability of the service function to properly carry out its intended actions. By having multiple sources of input, the service or function can continue operation if one source is corrupted or no longer available. It is possible that the alternative sources of information may be less precise or less accurate than the primary source of information. But having such sub-optimal information sources may still provide a sufficient level of quality that the essential service or function can be carried out, even in a degraded or debilitated manner.
Instructions
SI-22a.
Identify the following alternative sources of information for [Assignment: organization-defined essential functions and services]: [Assignment: organization-defined alternative information sources]; and
SI-22b.
Use an alternative information source for the execution of essential functions or services on [Assignment: organization-defined systems or system components] when the primary source of information is corrupted or unavailable.
Assessment Procedures
Related Controls
References
  1. Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2., "SP 800-160-2" https://doi.org/10.6028/NIST.SP.800-160v2
Enhancements
INFORMATION FRAGMENTATION
RMF Control
SI-23
Subject Area
SYSTEM AND INFORMATION INTEGRITY
Baseline Areas
NOT SELECTED
Description
One objective of the advanced persistent threat is to exfiltrate valuable information. Once exfiltrated, there is generally no way for the organization to recover the lost information. Therefore, organizations may consider dividing the information into disparate elements and distributing those elements across multiple systems or system components and locations. Such actions will increase the adversary’s work factor to capture and exfiltrate the desired information and, in so doing, increase the probability of detection. The fragmentation of information impacts the organization’s ability to access the information in a timely manner. The extent of the fragmentation is dictated by the impact or classification level (and value) of the information, threat intelligence information received, and whether data tainting is used (i.e., data tainting-derived information about the exfiltration of some information could result in the fragmentation of the remaining information).
Instructions
Based on [Assignment: organization-defined circumstances]:
SI-23a.
Fragment the following information: [Assignment: organization-defined information]; and
SI-23b.
Distribute the fragmented information across the following systems or system components: [Assignment: organization-defined systems or system components].
Assessment Procedures
Related Controls
References
  1. Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2., "SP 800-160-2" https://doi.org/10.6028/NIST.SP.800-160v2
Enhancements
POLICY AND PROCEDURES
RMF Control
SR-1
Subject Area
SUPPLY CHAIN RISK MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Instructions
SR-1a.
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
SR-1b.
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and
SR-1c.
Review and update the current supply chain risk management:
Assessment Procedures
Related Controls
  1. PM-9 - Risk Management Strategy
  2. PM-30 - Supply Chain Risk Management Strategy
  3. PS-8 - Personnel Sanctions
  4. SI-12 - Information Management And Retention
References
  1. 85 Federal Register 54263 (September 1, 2020), pp 54263-54271., "41 CFR 201" https://www.federalregister.gov/d/2020-18939
  2. Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007., "SP 800-100" https://doi.org/10.6028/NIST.SP.800-100
  3. Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161., "SP 800-161" https://doi.org/10.6028/NIST.SP.800-161
  4. Committee on National Security Systems Directive No. 505, , August 2017., "CNSSD 505" https://www.cnss.gov/CNSS/issuances/Directives.cfm
  5. Executive Order 13873, , May 2019., "EO 13873" https://www.whitehouse.gov/presidential-actions/ex
  6. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  7. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  8. Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1., "SP 800-12" https://doi.org/10.6028/NIST.SP.800-12r1
  9. Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018., "FASC18" https://www.congress.gov/bill/115th-congress/senat
Enhancements
SUPPLY CHAIN RISK MANAGEMENT PLAN
RMF Control
SR-2
Subject Area
SUPPLY CHAIN RISK MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions. Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8).
Instructions
SR-2a.
Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: [Assignment: organization-defined systems, system components, or system services];
SR-2b.
Review and update the supply chain risk management plan [Assignment: organization-defined frequency] or as required, to address threat, organizational or environmental changes; and
SR-2c.
Protect the supply chain risk management plan from unauthorized disclosure and modification.
Assessment Procedures
Related Controls
  1. CA-2 - Control Assessments
  2. CP-4 - Contingency Plan Testing
  3. IR-4 - Incident Handling
  4. MA-2 - Controlled Maintenance
  5. MA-6 - Timely Maintenance
  6. PE-16 - Delivery And Removal
  7. PL-2 - System Security And Privacy Plans
  8. PM-9 - Risk Management Strategy
  9. PM-30 - Supply Chain Risk Management Strategy
  10. RA-3 - Risk Assessment
  11. RA-7 - Risk Response
  12. SA-8 - Security And Privacy Engineering Principles
  13. SI-4 - System Monitoring
References
  1. 85 Federal Register 54263 (September 1, 2020), pp 54263-54271., "41 CFR 201" https://www.federalregister.gov/d/2020-18939
  2. Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622., "IR 7622" https://doi.org/10.6028/NIST.IR.7622
  3. Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161., "SP 800-161" https://doi.org/10.6028/NIST.SP.800-161
  4. Committee on National Security Systems Directive No. 505, , August 2017., "CNSSD 505" https://www.cnss.gov/CNSS/issuances/Directives.cfm
  5. Executive Order 13873, , May 2019., "EO 13873" https://www.whitehouse.gov/presidential-actions/ex
  6. Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39., "SP 800-39" https://doi.org/10.6028/NIST.SP.800-39
  7. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  8. Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272., "IR 8272" https://doi.org/10.6028/NIST.IR.8272
  9. Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1., "SP 800-181" https://doi.org/10.6028/NIST.SP.800-181r1
  10. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
  11. Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018., "FASC18" https://www.congress.gov/bill/115th-congress/senat
Enhancements
SR-2(1) - Establish Scrm Team
Establish a supply chain risk management team consisting of [Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: [Assignment: organization-defined supply chain risk management activities].
SUPPLY CHAIN CONTROLS AND PROCESSES
RMF Control
SR-3
Subject Area
SUPPLY CHAIN RISK MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.
Instructions
SR-3a.
Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel];
SR-3b.
Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and
SR-3c.
Document the selected and implemented supply chain processes and controls in [Selection: security and privacy plans; supply chain risk management plan; [Assignment: organization-defined document]].
Assessment Procedures
Related Controls
  1. CA-2 - Control Assessments
  2. MA-2 - Controlled Maintenance
  3. MA-6 - Timely Maintenance
  4. PE-3 - Physical Access Control
  5. PE-16 - Delivery And Removal
  6. PL-8 - Security And Privacy Architectures
  7. PM-30 - Supply Chain Risk Management Strategy
  8. SA-2 - Allocation Of Resources
  9. SA-3 - System Development Life Cycle
  10. SA-4 - Acquisition Process
  11. SA-5 - System Documentation
  12. SA-8 - Security And Privacy Engineering Principles
  13. SA-9 - External System Services
  14. SA-10 - Developer Configuration Management
  15. SA-15 - Development Process, Standards, And Tools
  16. SC-7 - Boundary Protection
  17. SC-29 - Heterogeneity
  18. SC-30 - Concealment And Misdirection
  19. SC-38 - Operations Security
  20. SI-7 - Software, Firmware, And Information Integrity
  21. SR-6 - Supplier Assessments And Reviews
  22. SR-9 - Tamper Resistance And Detection
  23. SR-11 - Component Authenticity
References
  1. 85 Federal Register 54263 (September 1, 2020), pp 54263-54271., "41 CFR 201" https://www.federalregister.gov/d/2020-18939
  2. Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622., "IR 7622" https://doi.org/10.6028/NIST.IR.7622
  3. Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161., "SP 800-161" https://doi.org/10.6028/NIST.SP.800-161
  4. Executive Order 13873, , May 2019., "EO 13873" https://www.whitehouse.gov/presidential-actions/ex
  5. International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, , February 2018., "ISO 20243" https://www.iso.org/standard/74399.html
  6. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  7. Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018., "FASC18" https://www.congress.gov/bill/115th-congress/senat
Enhancements
SR-3(1) - Diverse Supply Base
Employ a diverse set of sources for the following system components and services: [Assignment: organization-defined system components and services].
SR-3(2) - Limitation Of Harm
Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: [Assignment: organization-defined controls].
SR-3(3) - Sub-Tier Flow Down
Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.
PROVENANCE
RMF Control
SR-4
Subject Area
SUPPLY CHAIN RISK MANAGEMENT
Baseline Areas
NOT SELECTED
Description
Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include personnel and processes used to interact with or make modifications to the system, component, or associated data. Organizations consider developing procedures (see SR-1) for allocating responsibilities for the creation, maintenance, and monitoring of provenance for systems and system components; transferring provenance documentation and responsibility between organizations; and preventing and monitoring for unauthorized changes to the provenance records. Organizations have methods to document, monitor, and maintain valid provenance baselines for systems, system components, and related data. These actions help track, assess, and document any changes to the provenance, including changes in supply chain elements or configuration, and help ensure non-repudiation of provenance information and the provenance change records. Provenance considerations are addressed throughout the system development life cycle and incorporated into contracts and other arrangements, as appropriate.
Instructions
Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [Assignment: organization-defined systems, system components, and associated data].
Assessment Procedures
Related Controls
  1. CM-8 - System Component Inventory
  2. MA-2 - Controlled Maintenance
  3. MA-6 - Timely Maintenance
  4. RA-9 - Criticality Analysis
  5. SA-3 - System Development Life Cycle
  6. SA-8 - Security And Privacy Engineering Principles
  7. SI-4 - System Monitoring
References
  1. 85 Federal Register 54263 (September 1, 2020), pp 54263-54271., "41 CFR 201" https://www.federalregister.gov/d/2020-18939
  2. Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622., "IR 7622" https://doi.org/10.6028/NIST.IR.7622
  3. Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161., "SP 800-161" https://doi.org/10.6028/NIST.SP.800-161
  4. Executive Order 13873, , May 2019., "EO 13873" https://www.whitehouse.gov/presidential-actions/ex
  5. Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112., "IR 8112" https://doi.org/10.6028/NIST.IR.8112
  6. International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, , February 2018., "ISO 20243" https://www.iso.org/standard/74399.html
  7. International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, , April 2014., "ISO 27036" https://www.iso.org/standard/59648.html
  8. Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272., "IR 8272" https://doi.org/10.6028/NIST.IR.8272
  9. Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018., "SP 800-160-1" https://doi.org/10.6028/NIST.SP.800-160v1
  10. Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018., "FASC18" https://www.congress.gov/bill/115th-congress/senat
Enhancements
SR-4(1) - Identity
Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components: [Assignment: organization-defined supply chain elements, processes, and personnel associated with organization-defined systems and critical system components].
SR-4(2) - Track And Trace
Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: [Assignment: organization-defined systems and critical system components].
SR-4(3) - Validate As Genuine And Not Altered
Employ the following controls to validate that the system or system component received is genuine and has not been altered: [Assignment: organization-defined controls].
SR-4(4) - Supply Chain Integrity — Pedigree
Employ [Assignment: organization-defined controls] and conduct [Assignment: organization-defined analysis] to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services.
ACQUISITION STRATEGIES, TOOLS, AND METHODS
RMF Control
SR-5
Subject Area
SUPPLY CHAIN RISK MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.
Instructions
Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods].
Assessment Procedures
Related Controls
  1. AT-3 - Role-Based Training
  2. SA-2 - Allocation Of Resources
  3. SA-3 - System Development Life Cycle
  4. SA-4 - Acquisition Process
  5. SA-5 - System Documentation
  6. SA-8 - Security And Privacy Engineering Principles
  7. SA-9 - External System Services
  8. SA-10 - Developer Configuration Management
  9. SA-15 - Development Process, Standards, And Tools
  10. SR-6 - Supplier Assessments And Reviews
  11. SR-9 - Tamper Resistance And Detection
  12. SR-10 - Inspection Of Systems Or Components
  13. SR-11 - Component Authenticity
References
  1. 85 Federal Register 54263 (September 1, 2020), pp 54263-54271., "41 CFR 201" https://www.federalregister.gov/d/2020-18939
  2. Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622., "IR 7622" https://doi.org/10.6028/NIST.IR.7622
  3. Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161., "SP 800-161" https://doi.org/10.6028/NIST.SP.800-161
  4. Executive Order 13873, , May 2019., "EO 13873" https://www.whitehouse.gov/presidential-actions/ex
  5. International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, , February 2018., "ISO 20243" https://www.iso.org/standard/74399.html
  6. International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, , April 2014., "ISO 27036" https://www.iso.org/standard/59648.html
  7. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  8. Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272., "IR 8272" https://doi.org/10.6028/NIST.IR.8272
  9. Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018., "FASC18" https://www.congress.gov/bill/115th-congress/senat
Enhancements
SR-5(1) - Adequate Supply
Employ the following controls to ensure an adequate supply of [Assignment: organization-defined critical system components]: [Assignment: organization-defined controls].
SR-5(2) - Assessments Prior To Selection, Acceptance, Modification, Or Update
Assess the system, system component, or system service prior to selection, acceptance, modification, or update.
SUPPLIER ASSESSMENTS AND REVIEWS
RMF Control
SR-6
Subject Area
SUPPLY CHAIN RISK MANAGEMENT
Baseline Areas
MODERATE, HIGH
Description
An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts.
Instructions
Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [Assignment: organization-defined frequency].
Assessment Procedures
Related Controls
  1. SR-3 - Supply Chain Controls And Processes
  2. SR-5 - Acquisition Strategies, Tools, And Methods
References
  1. 85 Federal Register 54263 (September 1, 2020), pp 54263-54271., "41 CFR 201" https://www.federalregister.gov/d/2020-18939
  2. Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622., "IR 7622" https://doi.org/10.6028/NIST.IR.7622
  3. Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161., "SP 800-161" https://doi.org/10.6028/NIST.SP.800-161
  4. Executive Order 13873, , May 2019., "EO 13873" https://www.whitehouse.gov/presidential-actions/ex
  5. International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, , February 2018., "ISO 20243" https://www.iso.org/standard/74399.html
  6. International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, , April 2014., "ISO 27036" https://www.iso.org/standard/59648.html
  7. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  8. National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4., "FIPS 186-4" https://doi.org/10.6028/NIST.FIPS.186-4
  9. National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4., "FIPS 180-4" https://doi.org/10.6028/NIST.FIPS.180-4
  10. National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202., "FIPS 202" https://doi.org/10.6028/NIST.FIPS.202
  11. National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. , "FIPS 140-3" https://doi.org/10.6028/NIST.FIPS.140-3
  12. Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272., "IR 8272" https://doi.org/10.6028/NIST.IR.8272
  13. Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018., "FASC18" https://www.congress.gov/bill/115th-congress/senat
Enhancements
SR-6(1) - Testing And Analysis
Employ [Selection (one or more): organizational analysis; independent third-party analysis; organizational testing; independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [Assignment: organization-defined supply chain elements, processes, and actors].
SUPPLY CHAIN OPERATIONS SECURITY
RMF Control
SR-7
Subject Area
SUPPLY CHAIN RISK MANAGEMENT
Baseline Areas
NOT SELECTED
Description
Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process that includes identifying critical information, analyzing friendly actions related to operations and other activities to identify actions that can be observed by potential adversaries, determining indicators that potential adversaries might obtain that could be interpreted or pieced together to derive information in sufficient time to cause harm to organizations, implementing safeguards or countermeasures to eliminate or reduce exploitable vulnerabilities and risk to an acceptable level, and considering how aggregated information may expose users or specific uses of the supply chain. Supply chain information includes user identities; uses for systems, system components, and system services; supplier identities; security and privacy requirements; system and component configurations; supplier processes; design specifications; and testing and evaluation results. Supply chain OPSEC may require organizations to withhold mission or business information from suppliers and may include the use of intermediaries to hide the end use or users of systems, system components, or system services.
Instructions
Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: [Assignment: organization-defined Operations Security (OPSEC) controls].
Assessment Procedures
Related Controls
  1. SC-38 - Operations Security
References
  1. Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622., "IR 7622" https://doi.org/10.6028/NIST.IR.7622
  2. Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161., "SP 800-161" https://doi.org/10.6028/NIST.SP.800-161
  3. Executive Order 13873, , May 2019., "EO 13873" https://www.whitehouse.gov/presidential-actions/ex
  4. International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, , April 2014., "ISO 27036" https://www.iso.org/standard/59648.html
  5. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
Enhancements
NOTIFICATION AGREEMENTS
RMF Control
SR-8
Subject Area
SUPPLY CHAIN RISK MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.
Instructions
Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Selection (one or more): notification of supply chain compromises; results of assessments or audits; [Assignment: organization-defined information]].
Assessment Procedures
Related Controls
  1. IR-4 - Incident Handling
  2. IR-6 - Incident Reporting
  3. IR-8 - Incident Response Plan
References
  1. 85 Federal Register 54263 (September 1, 2020), pp 54263-54271., "41 CFR 201" https://www.federalregister.gov/d/2020-18939
  2. Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622., "IR 7622" https://doi.org/10.6028/NIST.IR.7622
  3. Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161., "SP 800-161" https://doi.org/10.6028/NIST.SP.800-161
  4. Executive Order 13873, , May 2019., "EO 13873" https://www.whitehouse.gov/presidential-actions/ex
  5. International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, , April 2014., "ISO 27036" https://www.iso.org/standard/59648.html
  6. Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1., "SP 800-30" https://doi.org/10.6028/NIST.SP.800-30r1
  7. Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018., "FASC18" https://www.congress.gov/bill/115th-congress/senat
Enhancements
TAMPER RESISTANCE AND DETECTION
RMF Control
SR-9
Subject Area
SUPPLY CHAIN RISK MANAGEMENT
Baseline Areas
HIGH
Description
Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system components, and services against many threats, including reverse engineering, modification, and substitution. Strong identification combined with tamper resistance and/or tamper detection is essential to protecting systems and components during distribution and when in use.
Instructions
Implement a tamper protection program for the system, system component, or system service.
Assessment Procedures
Related Controls
  1. PE-3 - Physical Access Control
  2. PM-30 - Supply Chain Risk Management Strategy
  3. SA-15 - Development Process, Standards, And Tools
  4. SI-4 - System Monitoring
  5. SI-7 - Software, Firmware, And Information Integrity
  6. SR-3 - Supply Chain Controls And Processes
  7. SR-4 - Provenance
  8. SR-5 - Acquisition Strategies, Tools, And Methods
  9. SR-10 - Inspection Of Systems Or Components
  10. SR-11 - Component Authenticity
References
  1. International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, , February 2018., "ISO 20243" https://www.iso.org/standard/74399.html
Enhancements
SR-9(1) - Multiple Stages Of System Development Life Cycle
Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle.
INSPECTION OF SYSTEMS OR COMPONENTS
RMF Control
SR-10
Subject Area
SUPPLY CHAIN RISK MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations.
Instructions
Inspect the following systems or system components [Selection (one or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection]] to detect tampering: [Assignment: organization-defined systems or system components].
Assessment Procedures
Related Controls
  1. AT-3 - Role-Based Training
  2. PM-30 - Supply Chain Risk Management Strategy
  3. SI-4 - System Monitoring
  4. SI-7 - Software, Firmware, And Information Integrity
  5. SR-3 - Supply Chain Controls And Processes
  6. SR-4 - Provenance
  7. SR-5 - Acquisition Strategies, Tools, And Methods
  8. SR-9 - Tamper Resistance And Detection
  9. SR-11 - Component Authenticity
References
  1. International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, , February 2018., "ISO 20243" https://www.iso.org/standard/74399.html
Enhancements
COMPONENT AUTHENTICITY
RMF Control
SR-11
Subject Area
SUPPLY CHAIN RISK MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.
Instructions
SR-11a.
Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and
SR-11b.
Report counterfeit system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]].
Assessment Procedures
Related Controls
  1. PE-3 - Physical Access Control
  2. SA-4 - Acquisition Process
  3. SI-7 - Software, Firmware, And Information Integrity
  4. SR-9 - Tamper Resistance And Detection
  5. SR-10 - Inspection Of Systems Or Components
References
  1. International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, , February 2018., "ISO 20243" https://www.iso.org/standard/74399.html
Enhancements
SR-11(1) - Anti-Counterfeit Training
Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware).
SR-11(2) - Configuration Control For Component Service And Repair
Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [Assignment: organization-defined system components].
SR-11(3) - Anti-Counterfeit Scanning
Scan for counterfeit system components [Assignment: organization-defined frequency].
COMPONENT DISPOSAL
RMF Control
SR-12
Subject Area
SUPPLY CHAIN RISK MANAGEMENT
Baseline Areas
LOW, MODERATE, HIGH
Description
Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market.
Instructions
Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods].
Assessment Procedures
Related Controls
  1. MP-6 - Media Sanitization
References
Enhancements