ACCESS CONTROLAC-1ACCESS CONTROL POLICY AND PROCEDURESDetermine if the organization:AC-1(a)(1)AC-1(a)(1)[1]develops and documents an access control policy that addresses:AC-1(a)(1)[1][a]purpose;AC-1(a)(1)[1][b]scope;AC-1(a)(1)[1][c]roles;AC-1(a)(1)[1][d]responsibilities;AC-1(a)(1)[1][e]management commitment;AC-1(a)(1)[1][f]coordination among organizational entities;AC-1(a)(1)[1][g]compliance;AC-1(a)(1)[2]defines personnel or roles to whom the access control policy are to be disseminated;AC-1(a)(1)[3]disseminates the access control policy to organization-defined personnel or roles;AC-1(a)(2)AC-1(a)(2)[1]develops and documents procedures to facilitate the implementation of the access control policy and associated access control controls;AC-1(a)(2)[2]defines personnel or roles to whom the procedures are to be disseminated;AC-1(a)(2)[3]disseminates the procedures to organization-defined personnel or roles;AC-1(b)(1)AC-1(b)(1)[1]defines the frequency to review and update the current access control policy;AC-1(b)(1)[2]reviews and updates the current access control policy with the organization-defined frequency;AC-1(b)(2)AC-1(b)(2)[1]defines the frequency to review and update the current access control procedures; andAC-1(b)(2)[2]reviews and updates the current access control procedures with the organization-defined frequency.ACCESS CONTROLAC-2ACCOUNT MANAGEMENTDetermine if the organization:AC-2(a)AC-2(a)[1]defines information system account types to be identified and selected to support organizational missions/business functions;AC-2(a)[2]identifies and selects organization-defined information system account types to support organizational missions/business functions;AC-2(b)assigns account managers for information system accounts;AC-2(c)establishes conditions for group and role membership;AC-2(d)specifies for each account (as required):AC-2(d)[1]authorized users of the information system;AC-2(d)[2]group and role membership;AC-2(d)[3]access authorizations (i.e., privileges);AC-2(d)[4]other attributes;AC-2(e)AC-2(e)[1]defines personnel or roles required to approve requests to create information system accounts;AC-2(e)[2]requires approvals by organization-defined personnel or roles for requests to create information system accounts;AC-2(f)AC-2(f)[1]defines procedures or conditions to:AC-2(f)[1][a]create information system accounts;AC-2(f)[1][b]enable information system accounts;AC-2(f)[1][c]modify information system accounts;AC-2(f)[1][d]disable information system accounts;AC-2(f)[1][e]remove information system accounts;AC-2(f)[2]in accordance with organization-defined procedures or conditions:AC-2(f)[2][a]creates information system accounts;AC-2(f)[2][b]enables information system accounts;AC-2(f)[2][c]modifies information system accounts;AC-2(f)[2][d]disables information system accounts;AC-2(f)[2][e]removes information system accounts;AC-2(g)monitors the use of information system accounts;AC-2(h)notifies account managers:AC-2(h)(1)when accounts are no longer required;AC-2(h)(2)when users are terminated or transferred;AC-2(h)(3)when individual information system usage or need to know changes;AC-2(i)authorizes access to the information system based on;AC-2(i)(1)a valid access authorization;AC-2(i)(2)intended system usage;AC-2(i)(3)other attributes as required by the organization or associated missions/business functions;AC-2(j)AC-2(j)[1]defines the frequency to review accounts for compliance with account management requirements;AC-2(j)[2]reviews accounts for compliance with account management requirements with the organization-defined frequency; andAC-2(k)establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.AC-2(1)AUTOMATED SYSTEM ACCOUNT MANAGEMENTDetermine if the organization employs automated mechanisms to support the management of information system accounts.AC-2(2)REMOVAL OF TEMPORARY/EMERGENCY ACCOUNTSDetermine if:AC-2(2)[1]the organization defines the time period after which the information system automatically removes or disables temporary and emergency accounts; andAC-2(2)[2]the information system automatically removes or disables temporary and emergency accounts after the organization-defined time period for each type of account.AC-2(3)DISABLE INACTIVE ACCOUNTSDetermine if:AC-2(3)[1]the organization defines the time period after which the information system automatically disables inactive accounts; andAC-2(3)[2]the information system automatically disables inactive accounts after the organization-defined time period.AC-2(4)AUTOMATED AUDIT ACTIONSDetermine if:AC-2(4)[1]the information system automatically audits the following account actions:AC-2(4)[1][a]creation;AC-2(4)[1][b]modification;AC-2(4)[1][c]enabling;AC-2(4)[1][d]disabling;AC-2(4)[1][e]removal;AC-2(4)[2]the organization defines personnel or roles to be notified of the following account actions:AC-2(4)[2][a]creation;AC-2(4)[2][b]modification;AC-2(4)[2][c]enabling;AC-2(4)[2][d]disabling;AC-2(4)[2][e]removal;AC-2(4)[3]the information system notifies organization-defined personnel or roles of the following account actions:AC-2(4)[3][a]creation;AC-2(4)[3][b]modification;AC-2(4)[3][c]enabling;AC-2(4)[3][d]disabling; andAC-2(4)[3][e]removal.AC-2(5)INACTIVITY LOGOUTDetermine if the organization:AC-2(5)[1]defines either the time period of expected inactivity that requires users to log out or the description of when users are required to log out; andAC-2(5)[2]requires that users log out when the organization-defined time period of inactivity is reached or in accordance with organization-defined description of when to log out.AC-2(6)DYNAMIC PRIVILEGE MANAGEMENTDetermine if:AC-2(6)[1]the organization defines a list of dynamic privilege management capabilities to be implemented by the information system; andAC-2(6)[2]the information system implements the organization-defined list of dynamic privilege management capabilities.AC-2(7)ROLE-BASED SCHEMESDetermine if the organization:AC-2(7)(a)establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;AC-2(7)(b)monitors privileged role assignments;AC-2(7)(c)AC-2(7)(c)[1]defines actions to be taken when privileged role assignments are no longer appropriate; andAC-2(7)(c)[2]takes organization-defined actions when privileged role assignments are no longer appropriate.AC-2(8)DYNAMIC ACCOUNT CREATIONDetermine if:AC-2(8)[1]the organization defines information system accounts to be created by the information system dynamically; andAC-2(8)[2]the information system creates organization-defined information system accounts dynamically.AC-2(9)RESTRICTIONS ON USE OF SHARED / GROUP ACCOUNTSDetermine if the organization:AC-2(9)[1]defines conditions for establishing shared/group accounts; andAC-2(9)[2]only permits the use of shared/group accounts that meet organization-defined conditions for establishing shared/group accounts.AC-2(10)SHARED / GROUP ACCOUNT CREDENTIAL TERMINATIONDetermine if the information system terminates shared/group account credentials when members leave the group.AC-2(11)USAGE CONDITIONSDetermine if:AC-2(11)[1]the organization defines circumstances and/or usage conditions to be enforced for information system accounts;AC-2(11)[2]the organization defines information system accounts for which organization-defined circumstances and/or usage conditions are to be enforced; andAC-2(11)[3]the information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.AC-2(12)ACCOUNT MONITORING / ATYPICAL USAGEDetermine if the organization:AC-2(12)(a)AC-2(12)(a)[1]defines atypical usage to be monitored for information system accounts;AC-2(12)(a)[2]monitors information system accounts for organization-defined atypical usage;AC-2(12)(b)AC-2(12)(b)[1]defines personnel or roles to whom atypical usage of information system accounts are to be reported; andAC-2(12)(b)[2]reports atypical usage of information system accounts to organization-defined personnel or roles.AC-2(13)DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALSDetermine if the organization: AC-2(13)[1]defines the time period within which accounts are disabled upon discovery of a significant risk posed by users of such accounts; andAC-2(13)[2]disables accounts of users posing a significant risk within the organization-defined time period of discovery of the risk.ACCESS CONTROLAC-3ACCESS ENFORCEMENTDetermine if the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.AC-3(1)RESTRICTED ACCESS TO PRIVILEGED FUNCTIONSAC-6[Withdrawn: Incorporated into AC-6].AC-3(2)DUAL AUTHORIZATIONDetermine if:AC-3(2)[1]the organization defines privileged commands and/or other actions for which dual authorization is to be enforced; andAC-3(2)[2]the information system enforces dual authorization for organization-defined privileged commands and/or other organization-defined actions.AC-3(3)MANDATORY ACCESS CONTROLDetermine if:AC-3(3)[1]the organization defines mandatory access control policies to be enforced over all subjects and objects;AC-3(3)[2]the organization defines subjects over which organization-defined mandatory access control policies are to be enforced;AC-3(3)[3]the organization defines objects over which organization-defined mandatory access control policies are to be enforced;AC-3(3)[4]the organization defines subjects that may explicitly be granted privileges such that they are not limited by the constraints specified elsewhere within this control;AC-3(3)[5]the organization defines privileges that may be granted to organization-defined subjects;AC-3(3)[6]the information system enforces organization-defined mandatory access control policies over all subjects and objects where the policy specifies that:AC-3(3)[6](a)the policy is uniformly enforced across all subjects and objects within the boundary of the information system;AC-3(3)[6](b)a subject that has been granted access to information is constrained from doing any of the following:AC-3(3)[6](b)(1)passing the information to unauthorized subjects or objects;AC-3(3)[6](b)(2)granting its privileges to other subjects;AC-3(3)[6](b)(3)changing one or more security attributes on:AC-3(3)[6](b)(3)[a]subjects;AC-3(3)[6](b)(3)[b]objects;AC-3(3)[6](b)(3)[c]the information system; orAC-3(3)[6](b)(3)[d]system components;AC-3(3)[6](b)(4)choosing the security attributes and attribute values to be associated with newly created or modified objects; orAC-3(3)[6](b)(5)changing the rules governing access control; andAC-3(3)[6](c)organization-defined subjects may explicitly be granted organization-defined privileges such that they are not limited by some or all of the above constraints.AC-3(4)DISCRETIONARY ACCESS CONTROLDetermine if:AC-3(4)[1]the organization defines discretionary access control policies to be enforced over defined subjects and objects;AC-3(4)[2]the information system enforces organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject has been granted access to information and can do one or more of the following:AC-3(4)[2](a)pass the information to any other subjects or objects;AC-3(4)[2](b)grant its privileges to other subjects;AC-3(4)[2](c)change security attributes on:AC-3(4)[2](c)[a]subjects,AC-3(4)[2](c)[b]objects,AC-3(4)[2](c)[c]the information system, orAC-3(4)[2](c)[d]the information system’s components;AC-3(4)[2](d)choose the security attributes to be associated with newly created or revised objects; orAC-3(4)[2](e)change the rules governing access control.AC-3(5)SECURITY-RELEVANT INFORMATIONDetermine if:AC-3(5)[1]the organization defines security-relevant information to which the information system prevents access except during secure, non-operable system states; andAC-3(5)[2]the information system prevents access to organization-defined security-relevant information except during secure, non-operable system states.AC-3(6)PROTECTION OF USER AND SYSTEM INFORMATIONMP-4SC-28[Withdrawn: Incorporated into MP-4 and SC-28].AC-3(7)ROLE-BASED ACCESS CONTROLDetermine if: AC-3(7)[1]the organization defines roles to control information system access;AC-3(7)[2]the organization defines users authorized to assume the organization-defined roles;AC-3(7)[3]the information system controls access based on organization-defined roles and users authorized to assume such roles;AC-3(7)[4]the information system enforces a role-based access control policy over defined:AC-3(7)[4][a]subjects, andAC-3(7)[4][b]objects.AC-3(8)REVOCATION OF ACCESS AUTHORIZATIONSDetermine if: AC-3(8)[1]the organization defines rules governing the timing of revocations of access authorizations; andAC-3(8)[2]the information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on organization-defined rules governing the timing of revocations of access authorizations.AC-3(9)CONTROLLED RELEASEDetermine if: AC-3(9)[1]the organization defines the information system or system component authorized to receive information released outside of the established system boundary of the information system releasing such information;AC-3(9)[2]the organization defines security safeguards to be provided by organization-defined information system or system component receiving information released from an information system outside of the established system boundary;AC-3(9)[3]the organization defines security safeguards to be used to validate the appropriateness of the information designated for release;AC-3(9)[4]the information system does not release information outside of the established system boundary unless:AC-3(9)[4](a)the receiving organization-defined information system or system component provides organization-defined security safeguards; andAC-3(9)[4](b)the organization-defined security safeguards are used to validate the appropriateness of the information designated for release.AC-3(10)AUDITED OVERRIDE OF ACCESS CONTROL MECHANISMSDetermine if the organization: AC-3(10)[1]defines conditions under which to employ an audited override of automated access control mechanisms; andAC-3(10)[2]employs an audited override of automated access control mechanisms under organization-defined conditions.ACCESS CONTROLAC-4INFORMATION FLOW ENFORCEMENTDetermine if:AC-4[1]the organization defines information flow control policies to control the flow of information within the system and between interconnected systems; andAC-4[2]the information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies.AC-4(1)OBJECT SECURITY ATTRIBUTESDetermine if:AC-4(1)[1]the organization defines information flow control policies as a basis for flow control decisions;AC-4(1)[2]the organization defines security attributes to be associated with information, source, and destination objects;AC-4(1)[3]the organization defines the following objects to be associated with organization-defined security attributes:AC-4(1)[3][a]information;AC-4(1)[3][b]source;AC-4(1)[3][c]destination; andAC-4(1)[4]the information system uses organization-defined security attributes associated with organization-defined information, source, and destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions.AC-4(2)PROCESSING DOMAINSDetermine if:AC-4(2)[1]the organization defines information flow control policies as a basis for flow control decisions; andAC-4(2)[2]the information system uses protected processing domains to enforce organization-defined information flow control policies as a basis for flow control decisions.AC-4(3)DYNAMIC INFORMATION FLOW CONTROLDetermine if:AC-4(3)[1]the organization defines policies to enforce dynamic information flow control; andAC-4(3)[2]the information system enforces dynamic information flow control based on organization-defined policies.AC-4(4)CONTENT CHECK ENCRYPTED INFORMATIONDetermine if:AC-4(4)[1]the organization defines a procedure or method to be employed to prevent encrypted information from bypassing content-checking mechanisms;AC-4(4)[2]the information system prevents encrypted information from bypassing content-checking mechanisms by doing one or more of the following:AC-4(4)[2][a]decrypting the information;AC-4(4)[2][b]blocking the flow of the encrypted information;AC-4(4)[2][c]terminating communications sessions attempting to pass encrypted information; and/orAC-4(4)[2][d]employing the organization-defined procedure or method.AC-4(5)EMBEDDED DATA TYPESDetermine if:AC-4(5)[1]the organization defines limitations to be enforced on embedding data types within other data types; andAC-4(5)[2]the information system enforces organization-defined limitations on embedding data types within other data types.AC-4(6)METADATADetermine if:AC-4(6)[1]the organization defines metadata to be used as a means of enforcing information flow control; andAC-4(6)[2]the information system enforces information flow control based on organization-defined metadata.AC-4(7)ONE-WAY FLOW MECHANISMSDetermine if:AC-4(7)[1]the organization defines one-way information flows to be enforced by the information system; andAC-4(7)[2]the information system enforces organization-defined one-way information flows using hardware mechanisms.AC-4(8)SECURITY POLICY FILTERSDetermine if:AC-4(8)[1]the organization defines security policy filters to be used as a basis for enforcing flow control decisions;AC-4(8)[2]the organization defines information flows for which flow control decisions are to be applied and enforced; andAC-4(8)[3]the information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.AC-4(9)HUMAN REVIEWSDetermine if:AC-4(9)[1]the organization defines information flows requiring the use of human reviews;AC-4(9)[2]the organization defines conditions under which the use of human reviews for organization-defined information flows is to be enforced; andAC-4(9)[3]the information system enforces the use of human reviews for organization-defined information flows under organization-defined conditions.AC-4(10)ENABLE / DISABLE SECURITY POLICY FILTERSDetermine if:AC-4(10)[1]the organization defines security policy filters that privileged administrators have the capability to enable/disable;AC-4(10)[2]the organization-defined conditions under which privileged administrators have the capability to enable/disable organization-defined security policy filters; andAC-4(10)[3]the information system provides the capability for privileged administrators to enable/disable organization-defined security policy filters under organization-defined conditions.AC-4(11)CONFIGURATION OF SECURITY POLICY FILTERSDetermine if:AC-4(11)[1]the organization defines security policy filters that privileged administrators have the capability to configure to support different security policies; andAC-4(11)[2]the information system provides the capability for privileged administrators to configure organization-defined security policy filters to support different security policies.AC-4(12)DATA TYPE IDENTIFIERSDetermine if:AC-4(12)[1]the organization defines data type identifiers to be used, when transferring information between different security domains, to validate data essential for information flow decisions; andAC-4(12)[2]the information system, when transferring information between different security domains, uses organization-defined data type identifiers to validate data essential for information flow decisions.AC-4(13)DECOMPOSITION INTO POLICY-RELEVANT SUBCOMPONENTSDetermine if:AC-4(13)[1]the organization defines policy-relevant subcomponents to decompose information for submission to policy enforcement mechanisms when transferring such information between different security domains; andAC-4(13)[2]the information system, when transferring information between different security domains, decomposes information into organization-defined policy-relevant subcomponents for submission to policy enforcement mechanisms.AC-4(14)SECURITY POLICY FILTER CONSTRAINTSDetermine if:AC-4(14)[1]the organization defines security policy filters to be implemented that require fully enumerated formats restricting data structure and content when transferring information between different security domains; andAC-4(14)[2]the information system, when transferring information between different security domains, implements organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content.AC-4(15)DETECTION OF UNSANCTIONED INFORMATIONDetermine if:AC-4(15)[1]the organization defines unsanctioned information to be detected when transferring information between different security domains;AC-4(15)[2]the organization defines the security policy that requires the transfer of organization-defined unsanctioned information between different security domains to be prohibited when the presence of such information is detected; andAC-4(15)[3]the information system, when transferring information between different security domains, examines the information for the presence of organization-defined unsanctioned information and prohibits the transfer of such information in accordance with the organization-defined security policy.AC-4(16)INFORMATION TRANSFERS ON INTERCONNECTED SYSTEMSAC-4[Withdrawn: Incorporated into AC-4].AC-4(17)DOMAIN AUTHENTICATIONDetermine if the information system uniquely identifies and authenticates: AC-4(17)[1]AC-4(17)[1][a]source points for information transfer;AC-4(17)[1][b]destination points for information transfer;AC-4(17)[2]by one or more of the following:AC-4(17)[2][a]organization;AC-4(17)[2][b]system;AC-4(17)[2][c]application; and/orAC-4(17)[2][d]individual.AC-4(18)SECURITY ATTRIBUTE BINDINGDetermine if: AC-4(18)[1]the organization defines binding techniques to be used to facilitate information flow policy enforcement; andAC-4(18)[2]the information system binds security attributes to information using organization-defined binding techniques to facilitate information flow policy enforcement.AC-4(19)VALIDATION OF METADATADetermine if the information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads. AC-4(20)APPROVED SOLUTIONSDetermine if the organization:AC-4(20)[1]defines solutions in approved configurations to control the flow of information across security domains;AC-4(20)[2]defines information for which organization-defined solutions in approved configurations are to be employed to control the flow of such information across security domains; andAC-4(20)[3]employs organization-defined solutions in approved configurations to control the flow of organization-defined information across security domains.AC-4(21)PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWSDetermine if: AC-4(21)[1]the organization defines the required separations of information flows by types of information;AC-4(21)[2]the organization defines the mechanisms and/or techniques to be used to separate information flows logically or physically; andAC-4(21)[3]the information system separates information flows logically or physically using organization-defined mechanisms and/or techniques to accomplish organization-defined required separations by types of information.AC-4(22)ACCESS ONLYDetermine if the information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains. ACCESS CONTROLAC-5SEPARATION OF DUTIESDetermine if the organization:AC-5(a)AC-5(a)[1]defines duties of individuals to be separated;AC-5(a)[2]separates organization-defined duties of individuals;AC-5(b)documents separation of duties; andAC-5(c)defines information system access authorizations to support separation of duties.ACCESS CONTROLAC-6LEAST PRIVILEGEDetermine if the organization employs the principle of least privilege, allowing only authorized access for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. AC-6(1)AUTHORIZE ACCESS TO SECURITY FUNCTIONSDetermine if the organization: AC-6(1)[1]defines security-relevant information for which access must be explicitly authorized;AC-6(1)[2]defines security functions deployed in:AC-6(1)[2][a]hardware;AC-6(1)[2][b]software;AC-6(1)[2][c]firmware;AC-6(1)[3]explicitly authorizes access to:AC-6(1)[3][a]organization-defined security functions; andAC-6(1)[3][b]security-relevant information.AC-6(2)NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONSDetermine if the organization:AC-6(2)[1]defines security functions or security-relevant information to which users of information system accounts, or roles, have access; andAC-6(2)[2]requires that users of information system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions.AC-6(3)NETWORK ACCESS TO PRIVILEGED COMMANDSDetermine if the organization:AC-6(3)[1]defines privileged commands to which network access is to be authorized only for compelling operational needs;AC-6(3)[2]defines compelling operational needs for which network access to organization-defined privileged commands are to be solely authorized;AC-6(3)[3]authorizes network access to organization-defined privileged commands only for organization-defined compelling operational needs; andAC-6(3)[4]documents the rationale for authorized network access to organization-defined privileged commands in the security plan for the information system.AC-6(4)SEPARATE PROCESSING DOMAINSDetermine if the information system provides separate processing domains to enable finer-grained allocation of user privileges.AC-6(5)PRIVILEGED ACCOUNTSDetermine if the organization:AC-6(5)[1]defines personnel or roles for which privileged accounts on the information system are to be restricted; andAC-6(5)[2]restricts privileged accounts on the information system to organization-defined personnel or roles.AC-6(6)PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERSDetermine if the organization prohibits privileged access to the information system by non-organizational users. AC-6(7)REVIEW OF USER PRIVILEGESDetermine if the organization: AC-6(7)(a)AC-6(7)(a)[1]defines roles or classes of users to which privileges are assigned;AC-6(7)(a)[2]defines the frequency to review the privileges assigned to organization-defined roles or classes of users to validate the need for such privileges;AC-6(7)(a)[3]reviews the privileges assigned to organization-defined roles or classes of users with the organization-defined frequency to validate the need for such privileges; andAC-6(7)(b)reassigns or removes privileges, if necessary, to correctly reflect organizational missions/business needs.AC-6(8)PRIVILEGE LEVELS FOR CODE EXECUTIONDetermine if: AC-6(8)[1]the organization defines software that should not execute at higher privilege levels than users executing the software; andAC-6(8)[2]the information system prevents organization-defined software from executing at higher privilege levels than users executing the software.AC-6(9)AUDITING USE OF PRIVILEGED FUNCTIONSDetermine if the information system audits the execution of privileged functions. AC-6(10)PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONSDetermine if the information system prevents non-privileged users from executing privileged functions to include:AC-6(10)[1]disabling implemented security safeguards/countermeasures;AC-6(10)[2]circumventing security safeguards/countermeasures; orAC-6(10)[3]altering implemented security safeguards/countermeasures.ACCESS CONTROLAC-7UNSUCCESSFUL LOGIN ATTEMPTSDetermine if: AC-7(a)AC-7(a)[1]the organization defines the number of consecutive invalid logon attempts allowed to the information system by a user during an organization-defined time period;AC-7(a)[2]the organization defines the time period allowed by a user of the information system for an organization-defined number of consecutive invalid logon attempts;AC-7(a)[3]the information system enforces a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period;AC-7(b)AC-7(b)[1]the organization defines account/node lockout time period or logon delay algorithm to be automatically enforced by the information system when the maximum number of unsuccessful logon attempts is exceeded;AC-7(b)[2]the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically:AC-7(b)[2][a]locks the account/node for the organization-defined time period;AC-7(b)[2][b]locks the account/node until released by an administrator; orAC-7(b)[2][c]delays next logon prompt according to the organization-defined delay algorithm.AC-7(1)AUTOMATIC ACCOUNT LOCKAC-7[Withdrawn: Incorporated into AC-7].AC-7(2)PURGE / WIPE MOBILE DEVICEDetermine if:AC-7(2)[1]the organization defines mobile devices to be purged/wiped after organization-defined number of consecutive, unsuccessful device logon attempts;AC-7(2)[2]the organization defines purging/wiping requirements/techniques to be used when organization-defined mobile devices are purged/wiped after organization-defined number of consecutive, unsuccessful device logon attempts;AC-7(2)[3]the organization defines the number of consecutive, unsuccessful logon attempts allowed for accessing mobile devices before the information system purges/wipes information from such devices; andAC-7(2)[4]the information system purges/wipes information from organization-defined mobile devices based on organization-defined purging/wiping requirements/techniques after organization-defined number of consecutive, unsuccessful logon attempts.ACCESS CONTROLAC-8SYSTEM USE NOTIFICATIONDetermine if:AC-8(a)AC-8(a)[1]the organization defines a system use notification message or banner to be displayed by the information system to users before granting access to the system;AC-8(a)[2]the information system displays to users the organization-defined system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that:AC-8(a)[2](1)users are accessing a U.S. Government information system;AC-8(a)[2](2)information system usage may be monitored, recorded, and subject to audit;AC-8(a)[2](3)unauthorized use of the information system is prohibited and subject to criminal and civil penalties;AC-8(a)[2](4)use of the information system indicates consent to monitoring and recording;AC-8(b)the information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system;AC-8(c)for publicly accessible systems:AC-8(c)(1)AC-8(c)(1)[1]the organization defines conditions for system use to be displayed by the information system before granting further access;AC-8(c)(1)[2]the information system displays organization-defined conditions before granting further access;AC-8(c)(2)the information system displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; andAC-8(c)(3)the information system includes a description of the authorized uses of the system.ACCESS CONTROLAC-9PREVIOUS LOGON (ACCESS) NOTIFICATIONDetermine if the information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access).AC-9(1)UNSUCCESSFUL LOGONSDetermine if the information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access. AC-9(2)SUCCESSFUL / UNSUCCESSFUL LOGONSDetermine if:AC-9(2)[1]the organization defines the time period within which the information system must notify the user of the number of:AC-9(2)[1][a]successful logons/accesses; and/orAC-9(2)[1][b]unsuccessful logon/access attempts;AC-9(2)[2]the information system, during the organization-defined time period, notifies the user of the number of:AC-9(2)[2][a]successful logons/accesses; and/orAC-9(2)[2][b]unsuccessful logon/access attempts.AC-9(3)NOTIFICATION OF ACCOUNT CHANGESDetermine if:AC-9(3)[1]the organization defines security-related characteristics/parameters of a user’s account;AC-9(3)[2]the organization defines the time period within which changes to organization-defined security-related characteristics/parameters of a user’s account must occur; andAC-9(3)[3]the information system notifies the user of changes to organization-defined security-related characteristics/parameters of the user’s account during the organization-defined time period.AC-9(4)ADDITIONAL LOGON INFORMATIONDetermine if:AC-9(4)[1]the organization defines information to be included in addition to the date and time of the last logon (access); andAC-9(4)[2]the information system notifies the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access).ACCESS CONTROLAC-10CONCURRENT SESSION CONTROL Determine if:AC-10[1]the organization defines account and/or account types for the information system;AC-10[2]the organization defines the number of concurrent sessions to be allowed for each organization-defined account and/or account type; andAC-10[3]the information system limits the number of concurrent sessions for each organization-defined account and/or account type to the organization-defined number of concurrent sessions allowed.ACCESS CONTROLAC-11SESSION LOCK Determine if:AC-11(a)AC-11(a)[1]the organization defines the time period of user inactivity after which the information system initiates a session lock;AC-11(a)[2]the information system prevents further access to the system by initiating a session lock after organization-defined time period of user inactivity or upon receiving a request from a user; andAC-11(b)the information system retains the session lock until the user reestablishes access using established identification and authentication procedures.AC-11(1)PATTERN-HIDING DISPLAYSDetermine if the information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.ACCESS CONTROLAC-12SESSION TERMINATIONDetermine if:AC-12[1]the organization defines conditions or trigger events requiring session disconnect; andAC-12[2]the information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect occurs.AC-12(1)USER-INITIATED LOGOUTS/MESSAGE DISPLAYSDetermine if:AC-12(1)(a)AC-12(1)(a)[1]the organization defines information resources for which user authentication is required to gain access to such resources;AC-12(1)(a)[2]the information system provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to organization-defined information resources; andAC-12(1)(b)the information system displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.ACCESS CONTROLAC-13SUPERVISION AND REVIEW – ACCESS CONTROLAC-2AU-6[Withdrawn: Incorporated into AC-2 and AU-6].ACCESS CONTROLAC-14PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATIONDetermine if the organization:AC-14(a)AC-14(a)[1]defines user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions;AC-14(a)[2]identifies organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; andAC-14(b)documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.AC-14(1)NECESSARY USESAC-14[Withdrawn: Incorporated into AC-14].ACCESS CONTROLAC-15AUTOMATED MARKINGMP-3[Withdrawn: Incorporated into MP-3].ACCESS CONTROLAC-16SECURITY ATTRIBUTESDetermine if the organization:AC-16(a)AC-16(a)[1]defines types of security attributes to be associated with information:AC-16(a)[1][a]in storage;AC-16(a)[1][b]in process; and/orAC-16(a)[1][c]in transmission;AC-16(a)[2]defines security attribute values for organization-defined types of security attributes;AC-16(a)[3]provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information:AC-16(a)[3][a]in storage;AC-16(a)[3][b]in process; and/orAC-16(a)[3][c]in transmission;AC-16(b)ensures that the security attribute associations are made and retained with the information;AC-16(c)AC-16(c)[1]defines information systems for which the permitted organization-defined security attributes are to be established;AC-16(c)[2]defines security attributes that are permitted for organization-defined information systems;AC-16(c)[3]establishes the permitted organization-defined security attributes for organization-defined information systems;AC-16(d)AC-16(d)[1]defines values or ranges for each of the established security attributes; andAC-16(d)[2]determines the permitted organization-defined values or ranges for each of the established security attributes.AC-16(1)DYNAMIC ATTRIBUTE ASSOCIATIONDetermine if: AC-16(1)[1]the organization defines subjects and objects to which security attributes are to be dynamically associated as information is created and combined;AC-16(1)[2]the organization defines security policies requiring the information system to dynamically associate security attributes with organization-defined subjects and objects; andAC-16(1)[3]the information system dynamically associates security attributes with organization-defined subjects and objects in accordance with organization-defined security policies as information is created and combined.AC-16(2)ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALSDetermine if the information system provides authorized individuals (or processes acting on behalf on individuals) the capability to define or change the value of associated security attributes. AC-16(3)MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY INFORMATION SYSTEMDetermine if:AC-16(3)[1]the organization defines security attributes to be associated with organization-defined subjects and objects;AC-16(3)[2]the organization defines subjects and objects requiring the association and integrity of security attributes to such subjects and objects to be maintained; andAC-16(3)[3]the information system maintains the association and integrity of organization-defined security attributes to organization-defined subjects and objects.AC-16(4)ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALSDetermine if:AC-16(4)[1]the organization defines security attributes to be associated with subjects and objects by authorized individuals (or processes acting on behalf of individuals);AC-16(4)[2]the organization defines subjects and objects requiring the association of organization-defined security attributes by authorized individuals (or processes acting on behalf of individuals); andAC-16(4)[3]the information system supports the association of organization-defined security attributes with organization-defined subjects and objects by authorized individuals (or processes acting on behalf of individuals).AC-16(5)ATTRIBUTE DISPLAYS FOR OUTPUT DEVICESDetermine if:AC-16(5)[1]the organization identifies special dissemination, handling, or distribution instructions to be used for each object that the information system transmits to output devices;AC-16(5)[2]the organization identifies human-readable, standard naming conventions for the security attributes to be displayed in human-readable form on each object that the information system transmits to output devices; andAC-16(5)[3]the information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify organization-identified special dissemination, handling, or distribution instructions using organization-identified human readable, standard naming conventions.AC-16(6)MAINTENANCE OF ATTRIBUTE ASSOCIATION BY ORGANIZATIONDetermine if the organization: AC-16(6)[1]defines security attributes to be associated with subjects and objects;AC-16(6)[2]defines subjects and objects to be associated with organization-defined security attributes;AC-16(6)[3]defines security policies to allow personnel to associate, and maintain the association of organization-defined security attributes with organization-defined subjects and objects; andAC-16(6)[4]allows personnel to associate, and maintain the association of organization-defined security attributes with organization-defined subjects and objects in accordance with organization-defined security policies.AC-16(7)CONSISTENT ATTRIBUTE INTERPRETATIONDetermine if the organization provides a consistent interpretation of security attributes transmitted between distributed information system components. AC-16(8)ASSOCIATION TECHNIQUES/TECHNOLOGIESDetermine if: AC-16(8)[1]the organization defines techniques or technologies to be implemented in associating security attributes to information;AC-16(8)[2]the organization defines level of assurance to be provided when the information system implements organization-defined technologies or technologies to associate security attributes to information; andAC-16(8)[3]the information system implements organization-defined techniques or technologies with organization-defined level of assurance in associating security attributes to information.AC-16(9)ATTRIBUTE REASSIGNMENTDetermine if the organization: AC-16(9)[1]defines techniques or procedures to validate re-grading mechanisms used to reassign association of security attributes with information; andAC-16(9)[2]ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using organization-defined techniques or procedures.AC-16(10)ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALSDetermine if the information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects. ACCESS CONTROLAC-17REMOTE ACCESSDetermine if the organization:AC-17(a)AC-17(a)[1]identifies the types of remote access allowed to the information system;AC-17(a)[2]establishes for each type of remote access allowed:AC-17(a)[2][a]usage restrictions;AC-17(a)[2][b]configuration/connection requirements;AC-17(a)[2][c]implementation guidance;AC-17(a)[3]documents for each type of remote access allowed:AC-17(a)[3][a]usage restrictions;AC-17(a)[3][b]configuration/connection requirements;AC-17(a)[3][c]implementation guidance; andAC-17(b)authorizes remote access to the information system prior to allowing such connections.AC-17(1)AUTOMATED MONITORING/CONTROLDetermine if the information system monitors and controls remote access methods. AC-17(2)PROTECTION OF CONFIDENTIALITY/INTEGRITY USING ENCRYPTIONDetermine if the information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. AC-17(3)MANAGED ACCESS CONTROL POINTSDetermine if:AC-17(3)[1]the organization defines the number of managed network access control points through which all remote accesses are to be routed; andAC-17(3)[2]the information system routes all remote accesses through the organization-defined number of managed network access control points.AC-17(4)PRIVILEGED COMMANDS / ACCESSDetermine if the organization:AC-17(4)(a)AC-17(4)(a)[1]defines needs to authorize the execution of privileged commands and access to security-relevant information via remote access;AC-17(4)(a)[2]authorizes the execution of privileged commands and access to security-relevant information via remote access only for organization-defined needs; andAC-17(4)(b)documents the rationale for such access in the information system security plan.AC-17(5)MONITORING FOR UNAUTHORIZED CONNECTIONSSI-4[Withdrawn: Incorporated into SI-4].AC-17(6)PROTECTION OF INFORMATIONDetermine if the organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.AC-17(7)ADDITIONAL PROTECTION FOR SECURITY FUNCTION ACCESSAC-3 (10)[Withdrawn: Incorporated into AC-3 (10)].AC-17(8)DISABLE NONSECURE NETWORK PROTOCOLSCM-7[Withdrawn: Incorporated into CM-7].AC-17(9)DISCONNECT/DISABLE ACCESSDetermine if the organization:AC-17(9)[1]defines the time period within which to expeditiously disconnect or disable remote access to the information system; andAC-17(9)[2]provides the capability to expeditiously disconnect or disable remote access to the information system within the organization-defined time period.ACCESS CONTROLAC-18WIRELESS ACCESSDetermine if the organization:AC-18(a)establishes for wireless access:AC-18(a)[1]usage restrictions;AC-18(a)[2]configuration/connection requirement;AC-18(a)[3]implementation guidance; andAC-18(b)authorizes wireless access to the information system prior to allowing such connections.AC-18(1)AUTHENTICATION AND ENCRYPTIONDetermine if the information system protects wireless access to the system using encryption and one or more of the following:AC-18(1)[1]authentication of users; and/orAC-18(1)[2]authentication of devices.AC-18(2)MONITORING UNAUTHORIZED CONNECTIONSSI-4[Withdrawn: Incorporated into SI-4].AC-18(3)DISABLE WIRELESS NETWORKINGDetermine if the organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.AC-18(4)RESTRICT CONFIGURATIONS BY USERSDetermine if the organization:AC-18(4)[1]identifies users allowed to independently configure wireless networking capabilities; andAC-18(4)[2]explicitly authorizes the identified users allowed to independently configure wireless networking capabilities.AC-18(5)ANTENNAS/TRANSMISSION POWER LEVELSDetermine if the organization: AC-18(5)[1]selects radio antennas to reduce the probability that usable signals can be received outside of organization-controlled boundaries; andAC-18(5)[2]calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.ACCESS CONTROLAC-19ACCESS CONTROL FOR MOBILE DEVICES Determine if the organization:AC-19(a)establishes for organization-controlled mobile devices:AC-19(a)[1]usage restrictions;AC-19(a)[2]configuration/connection requirement;AC-19(a)[3]implementation guidance; andAC-19(b)authorizes the connection of mobile devices to organizational information systems.AC-19(1)USE OF WRITABLE/PORTABLE STORAGE DEVICESMP-7[Withdrawn: Incorporated into MP-7].AC-19(2)USE OF PERSONALLY OWNED PORTABLE STORAGE DEVICESMP-7[Withdrawn: Incorporated into MP-7].AC-19(3)USE OF PORTABLE STORAGE DEVICES WITH NO IDENTIFIABLE OWNERMP-7[Withdrawn: Incorporated into MP-7].AC-19(4)RESTRICTIONS FOR CLASSIFIED INFORMATIONDetermine if the organization:AC-19(4)(a)prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official;AC-19(4)(b)enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:AC-19(4)(b)(1)connection of unclassified mobile devices to classified information systems is prohibited;AC-19(4)(b)(2)connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;AC-19(4)(b)(3)use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited;AC-19(4)(b)(4)AC-19(4)(b)(4)[1]defines security officials responsible for reviews and inspections of unclassified mobile devices and the information stored on those devices;AC-19(4)(b)(4)[2]unclassified mobile devices and the information stored on those devices are subject to random reviews/inspections by organization-defined security officials;AC-19(4)(b)(4)[3]the incident handling policy is followed if classified information is found;AC-19(4)(c)AC-19(4)(c)[1]defines security policies to restrict the connection of classified mobile devices to classified information systems; andAC-19(4)(c)[2]restricts the connection of classified mobile devices to classified information systems in accordance with organization-defined security policies.AC-19(5)FULL DEVICE / CONTAINER-BASED ENCRYPTIONDetermine if the organization:AC-19(5)[1]defines mobile devices for which full-device encryption or container encryption is required to protect the confidentiality and integrity of information on such devices; andAC-19(5)[2]employs full-device encryption or container encryption to protect the confidentiality and integrity of information on organization-defined mobile devices.ACCESS CONTROLAC-20USE OF EXTERNAL INFORMATION SYSTEMSDetermine if the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: AC-20(a)access the information system from the external information systems; andAC-20(b)process, store, or transmit organization-controlled information using external information systems.AC-20(1)LIMITS ON AUTHORIZED USEDetermine if the organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: AC-20(1)(a)verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; orAC-20(1)(b)retains approved information system connection or processing agreements with the organizational entity hosting the external information system.AC-20(2)PORTABLE STORAGE DEVICESDetermine if the organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems. AC-20(3)NON-ORGANIZATIONALLY OWNED SYSTEMS / COMPONENTS / DEVICESDetermine if the organization restricts or prohibits the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information.AC-20(4)NETWORK ACCESSIBLE STORAGE DEVICESDetermine if the organization:AC-20(4)[1]defines network accessible storage devices to be prohibited from use in external information systems; andAC-20(4)[2]prohibits the use of organization-defined network accessible storage devices in external information systems.ACCESS CONTROLAC-21INFORMATION SHARINGDetermine if the organization: AC-21(a)AC-21(a)[1]defines information sharing circumstances where user discretion is required;AC-21(a)[2]facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information sharing circumstances;AC-21(b)AC-21(b)[1]defines automated mechanisms or manual processes to be employed to assist users in making information sharing/collaboration decisions; andAC-21(b)[2]employs organization-defined automated mechanisms or manual processes to assist users in making information sharing/collaboration decisions.AC-21(1)AUTOMATED DECISION SUPPORTDetermine if the information system enforces information-sharing decisions by authorized users based on: AC-21(1)[1]access authorizations of sharing partners; andAC-21(1)[2]access restrictions on information to be shared.AC-21(2)INFORMATION SEARCH AND RETRIEVALDetermine if: AC-21(2)[1]the organization defines information sharing restrictions to be enforced through information search and retrieval services; andAC-21(2)[2]the information system implements information search and retrieval services that enforce organization-defined information sharing restrictions.ACCESS CONTROLAC-22PUBLICLY ACCESSIBLE CONTENTDetermine if the organization: AC-22(a)designates individuals authorized to post information onto a publicly accessible information system;AC-22(b)trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;AC-22(c)reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included;AC-22(d)AC-22(d)[1]defines the frequency to review the content on the publicly accessible information system for nonpublic information;AC-22(d)[2]reviews the content on the publicly accessible information system for nonpublic information with the organization-defined frequency; andAC-22(d)[3]removes nonpublic information from the publicly accessible information system, if discovered.ACCESS CONTROLAC-23DATA MINING PROTECTION Determine if the organization:AC-23[1]defines data mining prevention and detection techniques to be employed for organization-defined storage objects to adequately detect and protect against data mining;AC-23[2]defines data storage objects to be protected from data mining; andAC-23[3]employs organization-defined data mining prevention and detection techniques for organization-defined data storage objects to adequately detect and protect against data mining.ACCESS CONTROLAC-24ACCESS CONTROL DECISIONSDetermine if the organization: AC-24[1]defines access control decisions to be applied to each access request prior to access control enforcement; andAC-24[2]establishes procedures to ensure organization-defined access control decisions are applied to each access request prior to access control enforcement.AC-24(1)TRANSMIT ACCESS AUTHORIZATION INFORMATIONDetermine if: AC-24(1)[1]the organization defines access authorization information that the information system transmits to organization-defined information systems that enforce access control decisions;AC-24(1)[2]the organization defines security safeguards to be used when the information system transmits organization-defined authorization information to organization-defined information systems that enforce access control decisions;AC-24(1)[3]the organization defines the information systems that enforce access control decisions; andAC-24(1)[4]the information system transmits organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems that enforce access control decisions.AC-24(2)NO USER OR PROCESS IDENTITYDetermine if: AC-24(2)[1]the organization defines security attributes that support access control decisions that do not include the identity of the user or processes acting on behalf of the user; andAC-24(2)[2]the information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user.ACCESS CONTROLAC-25REFERENCE MONITOR Determine if: AC-25[1]the organization defines access control policies for which the information system implements a reference monitor to enforce such policies; andAC-25[2]the information system implements a reference monitor for organization-defined access control policies that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.AWARENESS AND TRAININGAT-1SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURESDetermine if the organization:AT-1(a)(1)AT-1(a)(1)[1]develops and documents an security awareness and training policy that addresses:AT-1(a)(1)[1][a]purpose;AT-1(a)(1)[1][b]scope;AT-1(a)(1)[1][c]roles;AT-1(a)(1)[1][d]responsibilities;AT-1(a)(1)[1][e]management commitment;AT-1(a)(1)[1][f]coordination among organizational entities;AT-1(a)(1)[1][g]compliance;AT-1(a)(1)[2]defines personnel or roles to whom the security awareness and training policy are to be disseminated;AT-1(a)(1)[3]disseminates the security awareness and training policy to organization-defined personnel or roles;AT-1(a)(2)AT-1(a)(2)[1]develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls;AT-1(a)(2)[2]defines personnel or roles to whom the procedures are to be disseminated;AT-1(a)(2)[3]disseminates the procedures to organization-defined personnel or roles;AT-1(b)(1)AT-1(b)(1)[1]defines the frequency to review and update the current security awareness and training policy;AT-1(b)(1)[2]reviews and updates the current security awareness and training policy with the organization-defined frequency;AT-1(b)(2)AT-1(b)(2)[1]defines the frequency to review and update the current security awareness and training procedures; andAT-1(b)(2)[2]reviews and updates the current security awareness and training procedures with the organization-defined frequency.AWARENESS AND TRAININGAT-2SECURITY AWARENESS TRAININGDetermine if the organization:AT-2(a)provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users;AT-2(b)provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes; andAT-2(c)AT-2(c)[1]defines the frequency to provide refresher security awareness training thereafter to information system users (including managers, senior executives, and contractors); andAT-2(c)[2]provides refresher security awareness training to information users (including managers, senior executives, and contractors) with the organization-defined frequency.AT-2(1)PRACTICAL EXERCISEDetermine if the organization includes practical exercises in security awareness training that simulate actual cyber attacks. AT-2(2)INSIDER THREATDetermine if the organization includes security awareness training on recognizing and reporting potential indicators of insider threat. AWARENESS AND TRAININGAT-3ROLE-BASED SECURITY TRAININGDetermine if the organization:AT-3(a)provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties;AT-3(b)provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes; andAT-3(c)AT-3(c)[1]defines the frequency to provide refresher role-based security training thereafter to personnel with assigned security roles and responsibilities; andAT-3(c)[2]provides refresher role-based security training to personnel with assigned security roles and responsibilities with the organization-defined frequency.AT-3(1)ENVIRONMENTAL CONTROLSDetermine if the organization:AT-3(1)[1]defines personnel or roles to be provided with initial and refresher training in the employment and operation of environmental controls;AT-3(1)[2]provides organization-defined personnel or roles with initial and refresher training in the employment and operation of environmental controls;AT-3(1)[3]defines the frequency to provide refresher training in the employment and operation of environmental controls; andAT-3(1)[4]provides refresher training in the employment and operation of environmental controls with the organization-defined frequency.AT-3(2)PHYSICAL SECURITY CONTROLSDetermine if the organization:AT-3(2)[1]defines personnel or roles to be provided with initial and refresher training in the employment and operation of physical security controls;AT-3(2)[2]provides organization-defined personnel or roles with initial and refresher training in the employment and operation of physical security controls;AT-3(2)[3]defines the frequency to provide refresher training in the employment and operation of physical security controls; andAT-3(2)[4]provides refresher training in the employment and operation of physical security controls with the organization-defined frequency.AT-3(3)PRACTICAL EXERCISESDetermine if the organization includes practical exercises in security training that reinforce training objectives. AT-3(4)SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIORDetermine if the organization:AT-3(4)[1]defines indicators of malicious code; andAT-3(4)[2]provides training to its personnel on organization-defined indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems.AWARENESS AND TRAININGAT-4SECURITY TRAINING RECORDSDetermine if the organization:AT-4(a)AT-4(a)[1]documents individual information system security training activities including:AT-4(a)[1][a]basic security awareness training;AT-4(a)[1][b]specific role-based information system security training;AT-4(a)[2]monitors individual information system security training activities including:AT-4(a)[2][a]basic security awareness training;AT-4(a)[2][b]specific role-based information system security training;AT-4(b)AT-4(b)[1]defines a time period to retain individual training records; andAT-4(b)[2]retains individual training records for the organization-defined time period.AWARENESS AND TRAININGAT-5CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONSPM-15[Withdrawn: Incorporated into PM-15].AUDIT AND ACCOUNTABILITYAU-1AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURESDetermine if the organization:AU-1(a)(1)AU-1(a)(1)[1]develops and documents an audit and accountability policy that addresses:AU-1(a)(1)[1][a]purpose;AU-1(a)(1)[1][b]scope;AU-1(a)(1)[1][c]roles;AU-1(a)(1)[1][d]responsibilities;AU-1(a)(1)[1][e]management commitment;AU-1(a)(1)[1][f]coordination among organizational entities;AU-1(a)(1)[1][g]compliance;AU-1(a)(1)[2]defines personnel or roles to whom the audit and accountability policy are to be disseminated;AU-1(a)(1)[3]disseminates the audit and accountability policy to organization-defined personnel or roles;AU-1(a)(2)AU-1(a)(2)[1]develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls;AU-1(a)(2)[2]defines personnel or roles to whom the procedures are to be disseminated;AU-1(a)(2)[3]disseminates the procedures to organization-defined personnel or roles;AU-1(b)(1)AU-1(b)(1)[1]defines the frequency to review and update the current audit and accountability policy;AU-1(b)(1)[2]reviews and updates the current audit and accountability policy with the organization-defined frequency;AU-1(b)(2)AU-1(b)(2)[1]defines the frequency to review and update the current audit and accountability procedures; andAU-1(b)(2)[2]reviews and updates the current audit and accountability procedures in accordance with the organization-defined frequency.AUDIT AND ACCOUNTABILITYAU-2AUDIT EVENTSDetermine if the organization:AU-2(a)AU-2(a)[1]defines the auditable events that the information system must be capable of auditing;AU-2(a)[2]determines that the information system is capable of auditing organization-defined auditable events;AU-2(b)coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;AU-2(c)provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents;AU-2(d)AU-2(d)[1]defines the subset of auditable events defined in AU-2a that are to be audited within the information system;AU-2(d)[2]determines that the subset of auditable events defined in AU-2a are to be audited within the information system; andAU-2(d)[3]determines the frequency of (or situation requiring) auditing for each identified event.AU-2(1)COMPILATION OF AUDIT RECORDS FROM MULTIPLE SOURCESAU-12[Withdrawn: Incorporated into AU-12].AU-2(2)SELECTION OF AUDIT EVENTS BY COMPONENTAU-12[Withdrawn: Incorporated into AU-12].AU-2(3)REVIEWS AND UPDATESDetermine if the organization:AU-2(3)[1]defines the frequency to review and update the audited events; andAU-2(3)[2]reviews and updates the auditable events with organization-defined frequency.AU-2(4)PRIVILEGED FUNCTIONSAC-6(9)[Withdrawn: Incorporated into AC-6(9)].AUDIT AND ACCOUNTABILITYAU-3CONTENT OF AUDIT RECORDSDetermine if the information system generates audit records containing information that establishes: AU-3[1]what type of event occurred;AU-3[2]when the event occurred;AU-3[3]where the event occurred;AU-3[4]the source of the event;AU-3[5]the outcome of the event; andAU-3[6]the identity of any individuals or subjects associated with the event.AU-3(1)ADDITIONAL AUDIT INFORMATIONDetermine if:AU-3(1)[1]the organization defines additional, more detailed information to be contained in audit records that the information system generates; andAU-3(1)[2]the information system generates audit records containing the organization-defined additional, more detailed information.AU-3(2)CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENTDetermine if:AU-3(2)[1]the organization defines information system components that generate audit records whose content is to be centrally managed and configured by the information system; andAU-3(2)[2]the information system provides centralized management and configuration of the content to be captured in audit records generated by the organization-defined information system components.AUDIT AND ACCOUNTABILITYAU-4AUDIT STORAGE CAPACITYDetermine if the organization:AU-4[1]defines audit record storage requirements; andAU-4[2]allocates audit record storage capacity in accordance with the organization-defined audit record storage requirements.AU-4(1)TRANSFER TO ALTERNATE STORAGE Determine if:AU-4(1)[1]the organization defines the frequency to off-load audit records onto a different system or media than the system being audited; andAU-4(1)[2]the information system off-loads audit records onto a different system or media than the system being audited with the organization-defined frequency.AUDIT AND ACCOUNTABILITYAU-5RESPONSE TO AUDIT PROCESSING FAILURESDetermine if:AU-5(a)AU-5(a)[1]the organization defines the personnel or roles to be alerted in the event of an audit processing failure;AU-5(a)[2]the information system alerts the organization-defined personnel or roles in the event of an audit processing failure;AU-5(b)AU-5(b)[1]the organization defines additional actions to be taken (e.g., shutdown information system, overwrite oldest audit records, stop generating audit records) in the event of an audit processing failure; andAU-5(b)[2]the information system takes the additional organization-defined actions in the event of an audit processing failure.AU-5(1)AUDIT STORAGE CAPACITYDetermine if:AU-5(1)[1]the organization defines:AU-5(1)[1][a]personnel to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity;AU-5(1)[1][b]roles to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity; and/orAU-5(1)[1][c]locations to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity;AU-5(1)[2]the organization defines the time period within which the information system is to provide a warning to the organization-defined personnel, roles, and/or locations when allocated audit record storage volume reaches the organization-defined percentage of repository maximum audit record storage capacity;AU-5(1)[3]the organization defines the percentage of repository maximum audit record storage capacity that, if reached, requires a warning to be provided; andAU-5(1)[4]the information system provides a warning to the organization-defined personnel, roles, and/or locations within the organization-defined time period when allocated audit record storage volume reaches the organization-defined percentage of repository maximum audit record storage capacity.AU-5(2)REAL-TIME ALERTSDetermine if:AU-5(2)[1]the organization defines audit failure events requiring real-time alerts;AU-5(2)[2]the organization defines:AU-5(2)[2][a]personnel to be alerted when organization-defined audit failure events requiring real-time alerts occur;AU-5(2)[2][b]roles to be alerted when organization-defined audit failure events requiring real-time alerts occur; and/orAU-5(2)[2][c]locations to be alerted when organization-defined audit failure events requiring real-time alerts occur;AU-5(2)[3]the organization defines the real-time period within which the information system is to provide an alert to the organization-defined personnel, roles, and/or locations when the organization-defined audit failure events requiring real-time alerts occur; andAU-5(2)[4]the information system provides an alert within the organization-defined real-time period to the organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.AU-5(3)CONFIGURABLE TRAFFIC VOLUME THRESHOLDSDetermine if:AU-5(3)[1]the information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity;AU-5(3)[2]the organization selects if network traffic above configurable traffic volume thresholds is to be:AU-5(3)[2][a]rejected; orAU-5(3)[2][b]delayed; andAU-5(3)[3]the information system rejects or delays network communications traffic generated above configurable traffic volume thresholds.AU-5(4)SHUTDOWN ON FAILUREDetermine if:AU-5(4)[1]the organization selects one of the following specific actions for the information system to invoke in the event of organization-defined audit failures:AU-5(4)[1][a]full system shutdown;AU-5(4)[1][b]partial system shutdown; orAU-5(4)[1][c]degraded operational mode with limited mission/business functionality available;AU-5(4)[2]the organization defines audit failures that, unless an alternate audit capability exists, are to trigger the information system to invoke a specific action; andAU-5(4)[3]the information system invokes the selected specific action in the event of organization-defined audit failures, unless an alternate audit capability exists.AUDIT AND ACCOUNTABILITYAU-6AUDIT REVIEW, ANALYSIS, AND REPORTINGDetermine if the organization:AU-6(a)AU-6(a)[1]defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed;AU-6(a)[2]defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity;AU-6(a)[3]reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency;AU-6(b)AU-6(b)[1]defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported; andAU-6(b)[2]reports findings to organization-defined personnel or roles.AU-6(1)PROCESS INTEGRATIONDetermine if the organization: AU-6(1)[1]employs automated mechanisms to integrate:AU-6(1)[1][a]audit review;AU-6(1)[1][b]analysis;AU-6(1)[1][c]reporting processes;AU-6(1)[2]uses integrated audit review, analysis and reporting processes to support organizational processes for:AU-6(1)[2][a]investigation of suspicious activities; andAU-6(1)[2][b]response to suspicious activities.AU-6(2)AUTOMATED SECURITY ALERTSSI-4[Withdrawn: Incorporated into SI-4].AU-6(3)CORRELATE AUDIT REPOSITORIESDetermine if the organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. AU-6(4)CENTRAL REVIEW AND ANALYSISDetermine if the information system provides the capability to centrally review and analyze audit records from multiple components within the system.AU-6(5)INTEGRATION/SCANNING AND MONITORING CAPABILITIESDetermine if the organization: AU-6(5)[1]defines data/information to be collected from other sources;AU-6(5)[2]selects sources of data/information to be analyzed and integrated with the analysis of audit records from one or more of the following:AU-6(5)[2][a]vulnerability scanning information;AU-6(5)[2][b]performance data;AU-6(5)[2][c]information system monitoring information; and/orAU-6(5)[2][d]organization-defined data/information collected from other sources; andAU-6(5)[3]integrates the analysis of audit records with the analysis of selected data/information to further enhance the ability to identify inappropriate or unusual activity.AU-6(6)CORRELATION WITH PHYSICAL MONITORINGDetermine if the organization correlates information from audit records with information obtained from monitoring physical access to enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.AU-6(7)PERMITTED ACTIONSDetermine if the organization specifies the permitted actions for each one or more of the following associated with the review, analysis and reporting of audit information:AU-6(7)[1]information system process;AU-6(7)[2]role; and/orAU-6(7)[3]user.AU-6(8)FULL TEXT ANALYSIS OF PRIVILEGED COMMANDSDetermine if the organization performs a full text analysis of audited privileged commands in:AU-6(8)[1]a physically distinct component or subsystem of the information system; orAU-6(8)[2]other information system that is dedicated to that analysis.AU-6(9)CORRELATION WITH INFORMATION FROM NONTECHNICAL SOURCESDetermine if the organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness.AU-6(10)AUDIT LEVEL ADJUSTMENTDetermine if the organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on:AU-6(10)[1]law enforcement information;AU-6(10)[2]intelligence information; and/orAU-6(10)[3]other credible sources of information.AUDIT AND ACCOUNTABILITYAU-7AUDIT REDUCTION AND REPORT GENERATIONDetermine if the information system provides an audit reduction and report generation capability that supports:AU-7(a)AU-7(a)[1]on-demand audit review;AU-7(a)[2]analysis;AU-7(a)[3]reporting requirements;AU-7(a)[4]after-the-fact investigations of security incidents; andAU-7(b)does not alter the original content or time ordering of audit records.AU-7(1)AUTOMATIC PROCESSINGDetermine if:AU-7(1)[1]the organization defines audit fields within audit records in order to process audit records for events of interest; andAU-7(1)[2]the information system provides the capability to process audit records for events of interest based on the organization-defined audit fields within audit records.AU-7(2)AUTOMATIC SORT AND SEARCHDetermine if:AU-7(2)[1]the organization defines audit fields within audit records in order to sort and search audit records for events of interest based on content of such audit fields; andAU-7(2)[2]the information system provides the capability to sort and search audit records for events of interest based on the content of organization-defined audit fields within audit records.AUDIT AND ACCOUNTABILITYAU-8TIME STAMPSDetermine if:AU-8(a)the information system uses internal system clocks to generate time stamps for audit records;AU-8(b)AU-8(b)[1]the information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);AU-8(b)[2]the organization defines the granularity of time measurement to be met when recording time stamps for audit records; andAU-8(b)[3]the organization records time stamps for audit records that meet the organization-defined granularity of time measurement.AU-8(1)SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCEDetermine if: AU-8(1)(a)AU-8(1)(a)[1]the organization defines the authoritative time source to which internal information system clocks are to be compared;AU-8(1)(a)[2]the organization defines the frequency to compare the internal information system clocks with the organization-defined authoritative time source; andAU-8(1)(a)[3]the information system compares the internal information system clocks with the organization-defined authoritative time source with organization-defined frequency; andAU-8(1)(b)AU-8(1)(b)[1]the organization defines the time period that, if exceeded by the time difference between the internal system clocks and the authoritative time source, will result in the internal system clocks being synchronized to the authoritative time source; andAU-8(1)(b)[2]the information system synchronizes the internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.AU-8(2)SECONDARY AUTHORITATIVE TIME SOURCEDetermine if the information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source. AUDIT AND ACCOUNTABILITYAU-9PROTECTION OF AUDIT INFORMATIONDetermine if: AU-9[1]the information system protects audit information from unauthorized:AU-9[1][a]access;AU-9[1][b]modification;AU-9[1][c]deletion;AU-9[2]the information system protects audit tools from unauthorized:AU-9[2][a]access;AU-9[2][b]modification; andAU-9[2][c]deletion.AU-9(1)HARDWARE WRITE-ONCE MEDIADetermine if the information system writes audit trails to hardware-enforced, write-once media.AU-9(2)AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTSDetermine if:AU-9(2)[1]the organization defines the frequency to back up audit records onto a physically different system or system component than the system or component being audited; andAU-9(2)[2]the information system backs up audit records with the organization-defined frequency, onto a physically different system or system component than the system or component being audited.AU-9(3)CRYPTOGRAPHIC PROTECTIONDetermine if the information system:AU-9(3)[1]uses cryptographic mechanisms to protect the integrity of audit information; andAU-9(3)[2]uses cryptographic mechanisms to protect the integrity of audit tools.AU-9(4)ACCESS BY SUBSET OF PRIVILEGED USERSDetermine if the organization:AU-9(4)[1]defines a subset of privileged users to be authorized access to management of audit functionality; andAU-9(4)[2]authorizes access to management of audit functionality to only the organization-defined subset of privileged users.AU-9(5)DUAL AUTHORIZATIONDetermine if the organization: AU-9(5)[1]defines audit information for which dual authorization is to be enforced;AU-9(5)[2]defines one or more of the following types of operations on audit information for which dual authorization is to be enforced:AU-9(5)[2][a]movement; and/orAU-9(5)[2][b]deletion; andAU-9(5)[3]enforces dual authorization for the movement and/or deletion of organization-defined audit information.AU-9(6)READ ONLY ACCESSDetermine if the organization: AU-9(6)[1]defines the subset of privileged users to be authorized read-only access to audit information; andAU-9(6)[2]authorizes read-only access to audit information to the organization-defined subset of privileged users.AUDIT AND ACCOUNTABILITYAU-10NON-REPUDIATIONDetermine if: AU-10[1]the organization defines actions to be covered by non-repudiation; andAU-10[2]the information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.AU-10(1)ASSOCIATION OF IDENTITIESDetermine if: AU-10(1)(a)AU-10(1)(a)[1]the organization defines the strength of binding to be employed between the identity of the information producer and the information;AU-10(1)(a)[2]the information system binds the identity of the information producer with the information to the organization-defined strength of binding; andAU-10(1)(b)the information system provides the means for authorized individuals to determine the identity of the producer of the information.AU-10(2)VALIDATE BINDING OF INFORMATION PRODUCER IDENTITYDetermine if: AU-10(2)(a)AU-10(2)(a)[1]the organization defines the frequency to validate the binding of the information producer identity to the information;AU-10(2)(a)[2]the information system validates the binding of the information producer identity to the information at the organization-defined frequency; andAU-10(2)(b)AU-10(2)(b)[1]the organization defines actions to be performed in the event of a validation error; andAU-10(2)(b)[2]the information system performs organization-defined actions in the event of a validation error.AU-10(3)CHAIN OF CUSTODYDetermine if the information system: AU-10(3)[1]maintains reviewer/releaser identity within the established chain of custody for all information reviewed;AU-10(3)[2]maintains reviewer/releaser identity within the established chain of custody for all information released;AU-10(3)[3]maintains reviewer/releaser credentials within the established chain of custody for all information reviewed; andAU-10(3)[4]maintains reviewer/releaser credentials within the established chain of custody for all information released.AU-10(4)VALIDATE BINDING OF INFORMATION REVIEWER IDENTITYDetermine if: AU-10(4)(a)AU-10(4)(a)[1]the organization defines security domains for which the binding of the information reviewer identity to the information is to be validated at the transfer or release points prior to release/transfer between such domains;AU-10(4)(a)[2]the information system validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between organization-defined security domains;AU-10(4)(b)AU-10(4)(b)[1]the organization defines actions to be performed in the event of a validation error; andAU-10(4)(b)[2]the information system performs organization-defined actions in the event of a validation error.AU-10(5)DIGITAL SIGNATURESSI-7[Withdrawn: Incorporated into SI-7].AUDIT AND ACCOUNTABILITYAU-11AUDIT RECORD RETENTIONDetermine if the organization:AU-11[1]defines a time period to retain audit records that is consistent with records retention policy;AU-11[2]retains audit records for the organization-defined time period consistent with records retention policy to:AU-11[2][a]provide support for after-the-fact investigations of security incidents; andAU-11[2][b]meet regulatory and organizational information retention requirements.AU-11(1)LONG-TERM RETRIEVAL CAPABILITYDetermine if the organization: AU-11(1)[1]defines measures to be employed to ensure that long-term audit records generated by the information system can be retrieved; andAU-11(1)[2]employs organization-defined measures to ensure that long-term audit records generated by the information system can be retrieved.AUDIT AND ACCOUNTABILITYAU-12AUDIT GENERATIONDetermine if:AU-12(a)AU-12(a)[1]the organization defines the information system components which are to provide audit record generation capability for the auditable events defined in AU-2a;AU-12(a)[2]the information system provides audit record generation capability, for the auditable events defined in AU-2a, at organization-defined information system components;AU-12(b)AU-12(b)[1]the organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system;AU-12(b)[2]the information system allows the organization-defined personnel or roles to select which auditable events are to be audited by specific components of the system; andAU-12(c)the information system generates audit records for the events defined in AU-2d with the content in defined in AU-3.AU-12(1)SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAILDetermine if:AU-12(1)[1]the organization defines the information system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail;AU-12(1)[2]the organization defines the level of tolerance for the relationship between time stamps of individual records in the audit trail; andAU-12(1)[3]the information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within the organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail.AU-12(2)STANDARDIZED FORMATSDetermine if the information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.AU-12(3)CHANGES BY AUTHORIZED INDIVIDUALSDetermine if: AU-12(3)[1]the organization defines information system components on which auditing is to be performed;AU-12(3)[2]the organization defines individuals or roles authorized to change the auditing to be performed on organization-defined information system components;AU-12(3)[3]the organization defines time thresholds within which organization-defined individuals or roles can change the auditing to be performed on organization-defined information system components;AU-12(3)[4]the organization defines selectable event criteria that support the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components; andAU-12(3)[5]the information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds.AUDIT AND ACCOUNTABILITYAU-13MONITORING FOR INFORMATION DISCLOSUREDetermine if the organization:AU-13[1]defines open source information and/or information sites to be monitored for evidence of unauthorized disclosure of organizational information;AU-13[2]defines a frequency to monitor organization-defined open source information and/or information sites for evidence of unauthorized disclosure of organizational information; andAU-13[3]monitors organization-defined open source information and/or information sites for evidence of unauthorized disclosure of organizational information with the organization-defined frequency.AU-13(1)USE OF AUTOMATED TOOLSDetermine if the organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner. AU-13(2)REVIEW OF MONITORED SITESDetermine if the organization:AU-13(2)[1]defines a frequency to review the open source information sites being monitored; andAU-13(2)[2]reviews the open source information sites being monitored with the organization-defined frequency.AUDIT AND ACCOUNTABILITYAU-14SESSION AUDITDetermine if the information system provides the capability for authorized users to select a user session to: AU-14[1]capture/record; and/orAU-14[2]view/hear.AU-14(1)SYSTEM START-UPDetermine if the information system initiates session audits at system start-up. AU-14(2)CAPTURE / RECORD AND LOG CONTENTDetermine if the information system provides the capability for authorized users to: AU-14(2)[1]capture/record content related to a user session; andAU-14(2)[2]log content related to a user session.AU-14(3)REMOTE VIEWING / LISTENINGDetermine if the information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time. AUDIT AND ACCOUNTABILITYAU-15ALTERNATE AUDIT CAPABILITYDetermine if the organization:AU-15[1]defines alternative audit functionality to be provided in the event of a failure in primary audit capability; andAU-15[2]provides an alternative audit capability in the event of a failure in primary audit capability that provides organization-defined alternative audit functionality.AUDIT AND ACCOUNTABILITYAU-16CROSS-ORGANIZATIONAL AUDITINGDetermine if the organization:AU-16[1]defines audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries;AU-16[2]defines methods for coordinating organization-defined audit information among external organizations when audit information is transmitted across organizational boundaries; andAU-16[3]employs organization-defined methods for coordinating organization-defined audit information among external organizations when audit information is transmitted across organizational boundaries.AU-16(1)IDENTITY PRESERVATIONDetermine if the organization requires that the identity of individuals be preserved in cross- organizational audit trails.AU-16(2)SHARING OF AUDIT INFORMATIONDetermine if the organization:AU-16(2)[1]defines organizations with whom cross-organizational audit information is to be shared;AU-16(2)[2]defines cross-organizational sharing agreements to be used when providing cross-organizational audit information to organization-defined organizations; andAU-16(2)[3]provides cross-organizational audit information to organization-defined organizations based on organization-defined cross-organizational sharing agreements.SECURITY ASSESSMENT AND AUTHORIZATIONCA-1SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURESDetermine if the organization:CA-1(a)(1)CA-1(a)(1)[1]develops and documents a security assessment and authorization policy that addresses:CA-1(a)(1)[1][a]purpose;CA-1(a)(1)[1][b]scope;CA-1(a)(1)[1][c]roles;CA-1(a)(1)[1][d]responsibilities;CA-1(a)(1)[1][e]management commitment;CA-1(a)(1)[1][f]coordination among organizational entities;CA-1(a)(1)[1][g]compliance;CA-1(a)(1)[2]defines personnel or roles to whom the security assessment and authorization policy is to be disseminated;CA-1(a)(1)[3]disseminates the security assessment and authorization policy to organization-defined personnel or roles;CA-1(a)(2)CA-1(a)(2)[1]develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated assessment and authorization controls;CA-1(a)(2)[2]defines personnel or roles to whom the procedures are to be disseminated;CA-1(a)(2)[3]disseminates the procedures to organization-defined personnel or roles;CA-1(b)(1)CA-1(b)(1)[1]defines the frequency to review and update the current security assessment and authorization policy;CA-1(b)(1)[2]reviews and updates the current security assessment and authorization policy with the organization-defined frequency;CA-1(b)(2)CA-1(b)(2)[1]defines the frequency to review and update the current security assessment and authorization procedures; andCA-1(b)(2)[2]reviews and updates the current security assessment and authorization procedures with the organization-defined frequency.SECURITY ASSESSMENT AND AUTHORIZATIONCA-2SECURITY ASSESSMENTSDetermine if the organization:CA-2(a)develops a security assessment plan that describes the scope of the assessment including:CA-2(a)(1)security controls and control enhancements under assessment;CA-2(a)(2)assessment procedures to be used to determine security control effectiveness;CA-2(a)(3)CA-2(a)(3)[1]assessment environment;CA-2(a)(3)[2]assessment team;CA-2(a)(3)[3]assessment roles and responsibilities;CA-2(b)CA-2(b)[1]defines the frequency to assess the security controls in the information system and its environment of operation;CA-2(b)[2]assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;CA-2(c)produces a security assessment report that documents the results of the assessment;CA-2(d)CA-2(d)[1]defines individuals or roles to whom the results of the security control assessment are to be provided; andCA-2(d)[2]provides the results of the security control assessment to organization-defined individuals or roles.CA-2(1)INDEPENDENT ASSESSORSDetermine if the organization:CA-2(1)[1]defines the level of independence to be employed to conduct security control assessments; andCA-2(1)[2]employs assessors or assessment teams with the organization-defined level of independence to conduct security control assessments.CA-2(2)SPECIALIZED ASSESSMENTSDetermine if the organization:CA-2(2)[1]selects one or more of the following forms of specialized security assessment to be included as part of security control assessments:CA-2(2)[1][a]in-depth monitoring;CA-2(2)[1][b]vulnerability scanning;CA-2(2)[1][c]malicious user testing;CA-2(2)[1][d]insider threat assessment;CA-2(2)[1][e]performance/load testing; and/orCA-2(2)[1][f]other forms of organization-defined specialized security assessment;CA-2(2)[2]defines the frequency for conducting the selected form(s) of specialized security assessment;CA-2(2)[3]defines whether the specialized security assessment will be announced or unannounced; andCA-2(2)[4]conducts announced or unannounced organization-defined forms of specialized security assessments with the organization-defined frequency as part of security control assessments.CA-2(3)EXTERNAL ORGANIZATIONSDetermine if the organization:CA-2(3)[1]defines an information system for which the results of a security assessment performed by an external organization are to be accepted;CA-2(3)[2]defines an external organization from which to accept a security assessment performed on an organization-defined information system;CA-2(3)[3]defines the requirements to be met by a security assessment performed by organization-defined external organization on organization-defined information system; andCA-2(3)[4]accepts the results of an assessment of an organization-defined information system performed by an organization-defined external organization when the assessment meets organization-defined requirements.SECURITY ASSESSMENT AND AUTHORIZATIONCA-3SYSTEM INTERCONNECTIONSDetermine if the organization:CA-3(a)authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;CA-3(b)documents, for each interconnection:CA-3(b)[1]the interface characteristics;CA-3(b)[2]the security requirements;CA-3(b)[3]the nature of the information communicated;CA-3(c)CA-3(c)[1]defines the frequency to review and update Interconnection Security Agreements; andCA-3(c)[2]reviews and updates Interconnection Security Agreements with the organization-defined frequency.CA-3(1)UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONSDetermine if the organization:CA-3(1)[1]defines an unclassified, national security system whose direct connection to an external network is to be prohibited without the use of approved boundary protection device;CA-3(1)[2]defines a boundary protection device to be used to establish the direct connection of an organization-defined unclassified, national security system to an external network; andCA-3(1)[3]prohibits the direct connection of an organization-defined unclassified, national security system to an external network without the use of an organization-defined boundary protection device.CA-3(2)CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONSDetermine if the organization:CA-3(2)[1]defines a boundary protection device to be used to establish the direct connection of a classified, national security system to an external network; andCA-3(2)[2]prohibits the direct connection of a classified, national security system to an external network without the use of an organization-defined boundary protection device.CA-3(3)UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONSDetermine if the organization:CA-3(3)[1]defines an unclassified, non-national security system whose direct connection to an external network is to be prohibited without the use of approved boundary protection device;CA-3(3)[2]defines a boundary protection device to be used to establish the direct connection of an organization-defined unclassified, non-national security system to an external network; andCA-3(3)[3]prohibits the direct connection of an organization-defined unclassified, non-national security system to an external network without the use of an organization-defined boundary protection device.CA-3(4)CONNECTIONS TO PUBLIC NETWORKSDetermine if the organization:CA-3(4)[1]defines an information system whose direct connection to a public network is to be prohibited; andCA-3(4)[2]prohibits the direct connection of an organization-defined information system to a public network.CA-3(5)RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONSDetermine if the organization: CA-3(5)[1]defines information systems to be allowed to connect to external information systems;CA-3(5)[2]employs one of the following policies for allowing organization-defined information systems to connect to external information systems:CA-3(5)[2][a]allow-all policy;CA-3(5)[2][b]deny-by-exception policy;CA-3(5)[2][c]deny-all policy; orCA-3(5)[2][d]permit-by-exception policy.SECURITY ASSESSMENT AND AUTHORIZATIONCA-4SECURITY CERTIFICATIONCA-2[Withdrawn: Incorporated into CA-2].SECURITY ASSESSMENT AND AUTHORIZATIONCA-5PLAN OF ACTION AND MILESTONESDetermine if the organization:CA-5(a)develops a plan of action and milestones for the information system to:CA-5(a)[1]document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls;CA-5(a)[2]reduce or eliminate known vulnerabilities in the system;CA-5(b)CA-5(b)[1]defines the frequency to update the existing plan of action and milestones;CA-5(b)[2]updates the existing plan of action and milestones with the organization-defined frequency based on the findings from:CA-5(b)[2][a]security controls assessments;CA-5(b)[2][b]security impact analyses; andCA-5(b)[2][c]continuous monitoring activities.CA-5(1)AUTOMATION SUPPORT FOR ACCURACY / CURRENCYDetermine if the organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is: CA-5(1)[1]accurate;CA-5(1)[2]up to date; andCA-5(1)[3]readily available.SECURITY ASSESSMENT AND AUTHORIZATIONCA-6SECURITY AUTHORIZATIONDetermine if the organization:CA-6(a)assigns a senior-level executive or manager as the authorizing official for the information system;CA-6(b)ensures that the authorizing official authorizes the information system for processing before commencing operations;CA-6(c)CA-6(c)[1]defines the frequency to update the security authorization; andCA-6(c)[2]updates the security authorization with the organization-defined frequency.SECURITY ASSESSMENT AND AUTHORIZATIONCA-7CONTINUOUS MONITORINGDetermine if the organization: CA-7(a)CA-7(a)[1]develops a continuous monitoring strategy that defines metrics to be monitored;CA-7(a)[2]develops a continuous monitoring strategy that includes monitoring of organization-defined metrics;CA-7(a)[3]implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;CA-7(b)CA-7(b)[1]develops a continuous monitoring strategy that defines frequencies for monitoring;CA-7(b)[2]defines frequencies for assessments supporting monitoring;CA-7(b)[3]develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring;CA-7(b)[4]implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy;CA-7(c)CA-7(c)[1]develops a continuous monitoring strategy that includes ongoing security control assessments;CA-7(c)[2]implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy;CA-7(d)CA-7(d)[1]develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics;CA-7(d)[2]implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;CA-7(e)CA-7(e)[1]develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring;CA-7(e)[2]implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy;CA-7(f)CA-7(f)[1]develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information;CA-7(f)[2]implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy;CA-7(g)CA-7(g)[1]develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and information system are to be reported;CA-7(g)[2]develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles;CA-7(g)[3]develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency; andCA-7(g)[4]implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy.CA-7(1)INDEPENDENT ASSESSMENTDetermine if the organization:CA-7(1)[1]defines a level of independence to be employed to monitor the security controls in the information system on an ongoing basis; andCA-7(1)[2]employs assessors or assessment teams with the organization-defined level of independence to monitor the security controls in the information system on an ongoing basis.CA-7(2)TYPES OF ASSESSMENTSCA-2[Withdrawn: Incorporated into CA-2].CA-7(3)TREND ANALYSISDetermine if the organization employs trend analyses to determine if the following items need to be modified based on empirical data:CA-7(3)[1]security control implementations;CA-7(3)[2]the frequency of continuous monitoring activities; and/orCA-7(3)[3]the types of activities used in the continuous monitoring process.SECURITY ASSESSMENT AND AUTHORIZATIONCA-8PENETRATION TESTINGDetermine if the organization:CA-8[1]defines information systems or system components on which penetration testing is to be conducted;CA-8[2]defines the frequency to conduct penetration testing on organization-defined information systems or system components; andCA-8[3]conducts penetration testing on organization-defined information systems or system components with the organization-defined frequency.CA-8(1)INDEPENDENT PENETRATION AGENT OR TEAMDetermine if the organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components. CA-8(2)RED TEAM EXERCISESDetermine if the organization:CA-8(2)[1]defines red team exercises to be employed to simulate attempts by adversaries to compromise organizational information systems;CA-8(2)[2]defines rules of engagement for employing organization-defined red team exercises; andCA-8(2)[3]employs organization-defined red team exercises to simulate attempts by adversaries to compromise organizational information systems in accordance with organization-defined rules of engagement.SECURITY ASSESSMENT AND AUTHORIZATIONCA-9INTERNAL SYSTEM CONNECTIONSDetermine if the organization:CA-9(a)CA-9(a)[1]defines information system components or classes of components to be authorized as internal connections to the information system;CA-9(a)[2]authorizes internal connections of organization-defined information system components or classes of components to the information system;CA-9(b)documents, for each internal connection:CA-9(b)[1]the interface characteristics;CA-9(b)[2]the security requirements; andCA-9(b)[3]the nature of the information communicated.CA-9(1)SECURITY COMPLIANCE CHECKSDetermine if the information system performs security compliance checks on constituent system components prior to the establishment of the internal connection. CONFIGURATION MANAGEMENTCM-1CONFIGURATION MANAGEMENT POLICY AND PROCEDURESDetermine if the organization:CM-1(a)(1)CM-1(a)(1)[1]develops and documents a configuration management policy that addresses:CM-1(a)(1)[1][a]purpose;CM-1(a)(1)[1][b]scope;CM-1(a)(1)[1][c]roles;CM-1(a)(1)[1][d]responsibilities;CM-1(a)(1)[1][e]management commitment;CM-1(a)(1)[1][f]coordination among organizational entities;CM-1(a)(1)[1][g]compliance;CM-1(a)(1)[2]defines personnel or roles to whom the configuration management policy is to be disseminated;CM-1(a)(1)[3]disseminates the configuration management policy to organization-defined personnel or roles;CM-1(a)(2)CM-1(a)(2)[1]develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls;CM-1(a)(2)[2]defines personnel or roles to whom the procedures are to be disseminated;CM-1(a)(2)[3]disseminates the procedures to organization-defined personnel or roles;CM-1(b)(1)CM-1(b)(1)[1]defines the frequency to review and update the current configuration management policy;CM-1(b)(1)[2]reviews and updates the current configuration management policy with the organization-defined frequency;CM-1(b)(2)CM-1(b)(2)[1]defines the frequency to review and update the current configuration management procedures; andCM-1(b)(2)[2]reviews and updates the current configuration management procedures with the organization-defined frequency.CONFIGURATION MANAGEMENTCM-2BASELINE CONFIGURATIONDetermine if the organization:CM-2[1]develops and documents a current baseline configuration of the information system; andCM-2[2]maintains, under configuration control, a current baseline configuration of the information system.CM-2(1)REVIEWS AND UPDATESDetermine if the organization:CM-2(1)(a)CM-2(1)(a)[1]defines the frequency to review and update the baseline configuration of the information system;CM-2(1)(a)[2]reviews and updates the baseline configuration of the information system with the organization-defined frequency;CM-2(1)(b)CM-2(1)(b)[1]defines circumstances that require the baseline configuration of the information system to be reviewed and updated;CM-2(1)(b)[2]reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances; andCM-2(1)(c)reviews and updates the baseline configuration of the information system as an integral part of information system component installations and upgrades.CM-2(2)AUTOMATION SUPPORT FOR ACCURACY / CURRENCYDetermine if the organization employs automated mechanisms to maintain: CM-2(2)[1]an up-to-date baseline configuration of the information system;CM-2(2)[2]a complete baseline configuration of the information system;CM-2(2)[3]an accurate baseline configuration of the information system; andCM-2(2)[4]a readily available baseline configuration of the information system.CM-2(3)RETENTION OF PREVIOUS CONFIGURATIONSDetermine if the organization:CM-2(3)[1]defines previous versions of baseline configurations of the information system to be retained to support rollback; andCM-2(3)[2]retains organization-defined previous versions of baseline configurations of the information system to support rollback.CM-2(4)UNAUTHORIZED SOFTWARECM-7[Withdrawn: Incorporated into CM-7].CM-2(5)AUTHORIZED SOFTWARECM-7[Withdrawn: Incorporated into CM-7].CM-2(6)DEVELOPMENT AND TEST ENVIRONMENTSDetermine if the organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.CM-2(7)CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREASDetermine if the organization:CM-2(7)(a)CM-2(7)(a)[1]defines information systems, system components, or devices to be issued to individuals traveling to locations that the organization deems to be of significant risk;CM-2(7)(a)[2]defines configurations to be employed on organization-defined information systems, system components, or devices issued to individuals traveling to such locations;CM-2(7)(a)[3]issues organization-defined information systems, system components, or devices with organization-defined configurations to individuals traveling to locations that the organization deems to be of significant risk;CM-2(7)(b)CM-2(7)(b)[1]defines security safeguards to be applied to the devices when the individuals return; andCM-2(7)(b)[2]applies organization-defined safeguards to the devices when the individuals return.CONFIGURATION MANAGEMENTCM-3CONFIGURATION CHANGE CONTROLDetermine if the organization:CM-3(a)determines the type of changes to the information system that must be configuration-controlled;CM-3(b)reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;CM-3(c)documents configuration change decisions associated with the information system;CM-3(d)implements approved configuration-controlled changes to the information system;CM-3(e)CM-3(e)[1]defines a time period to retain records of configuration-controlled changes to the information system;CM-3(e)[2]retains records of configuration-controlled changes to the information system for the organization-defined time period;CM-3(f)audits and reviews activities associated with configuration-controlled changes to the information system;CM-3(g)CM-3(g)[1]defines a configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities;CM-3(g)[2]defines the frequency with which the configuration change control element must convene; and/orCM-3(g)[3]defines configuration change conditions that prompt the configuration change control element to convene; andCM-3(g)[4]coordinates and provides oversight for configuration change control activities through organization-defined configuration change control element that convenes at organization-defined frequency and/or for any organization-defined configuration change conditions.CM-3(1)AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGESDetermine if the organization:CM-3(1)(a)employs automated mechanisms to document proposed changes to the information system;CM-3(1)(b)CM-3(1)(b)[1]defines approval authorities to be notified of proposed changes to the information system and request change approval;CM-3(1)(b)[2]employs automated mechanisms to notify organization-defined approval authorities of proposed changes to the information system and request change approval;CM-3(1)(c)CM-3(1)(c)[1]defines the time period within which proposed changes to the information system that have not been approved or disapproved must be highlighted;CM-3(1)(c)[2]employs automated mechanisms to highlight proposed changes to the information system that have not been approved or disapproved by organization-defined time period;CM-3(1)(d)employs automated mechanisms to prohibit changes to the information system until designated approvals are received;CM-3(1)(e)employs automated mechanisms to document all changes to the information system;CM-3(1)(f)CM-3(1)(f)[1]defines personnel to be notified when approved changes to the information system are completed; andCM-3(1)(f)[2]employs automated mechanisms to notify organization-defined personnel when approved changes to the information system are completed.CM-3(2)TEST / VALIDATE / DOCUMENT CHANGESDetermine if the organization, before implementing changes on the operational system:CM-3(2)[1]tests changes to the information system;CM-3(2)[2]validates changes to the information system; andCM-3(2)[3]documents changes to the information system.CM-3(3)AUTOMATED CHANGE IMPLEMENTATIONDetermine if the organization:CM-3(3)[1]employs automated mechanisms to implement changes to the current information system baseline; andCM-3(3)[2]deploys the updated baseline across the installed base.CM-3(4)SECURITY REPRESENTATIVEDetermine if the organization:CM-3(4)[1]specifies the configuration change control elements (as defined in CM-3g) of which an information security representative is to be a member; andCM-3(4)[2]requires an information security representative to be a member of the specified configuration control element.CM-3(5)AUTOMATED SECURITY RESPONSEDetermine if:CM-3(5)[1]the organization defines security responses to be implemented automatically if baseline configurations are changed in an unauthorized manner; andCM-3(5)[2]the information system implements organization-defined security responses automatically if baseline configurations are changed in an unauthorized manner.CM-3(6)CRYPTOGRAPHY MANAGEMENTDetermine if the organization:CM-3(6)[1]defines security safeguards provided by cryptographic mechanisms that are to be under configuration management; andCM-3(6)[2]ensures that cryptographic mechanisms used to provide organization-defined security safeguards are under configuration management.CONFIGURATION MANAGEMENTCM-4SECURITY IMPACT ANALYSISDetermine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation.CM-4(1)SEPARATE TEST ENVIRONMENTSDetermine if the organization:CM-4(1)[1]analyzes changes to the information system in a separate test environment before implementation in an operational environment;CM-4(1)[2]when analyzing changes to the information system in a separate test environment, looks for security impacts due to:CM-4(1)[2][a]flaws;CM-4(1)[2][b]weaknesses;CM-4(1)[2][c]incompatibility; andCM-4(1)[2][d]intentional malice.CM-4(2)VERIFICATION OF SECURITY FUNCTIONSDetermine if the organization, after the information system is changed, checks the security functions to verify that the functions are:CM-4(2)[1]implemented correctly;CM-4(2)[2]operating as intended; andCM-4(2)[3]producing the desired outcome with regard to meeting the security requirements for the system.CONFIGURATION MANAGEMENTCM-5ACCESS RESTRICTIONS FOR CHANGEDetermine if the organization:CM-5[1]defines physical access restrictions associated with changes to the information system;CM-5[2]documents physical access restrictions associated with changes to the information system;CM-5[3]approves physical access restrictions associated with changes to the information system;CM-5[4]enforces physical access restrictions associated with changes to the information system;CM-5[5]defines logical access restrictions associated with changes to the information system;CM-5[6]documents logical access restrictions associated with changes to the information system;CM-5[7]approves logical access restrictions associated with changes to the information system; andCM-5[8]enforces logical access restrictions associated with changes to the information system.CM-5(1)AUTOMATED ACCESS ENFORCEMENT / AUDITINGDetermine if the information system:CM-5(1)[1]enforces access restrictions for change; andCM-5(1)[2]supports auditing of the enforcement actions.CM-5(2)REVIEW SYSTEM CHANGESDetermine if the organization, in an effort to ascertain whether unauthorized changes have occurred:CM-5(2)[1]defines the frequency to review information system changes;CM-5(2)[2]defines circumstances that warrant review of information system changes;CM-5(2)[3]reviews information system changes with the organization-defined frequency; andCM-5(2)[4]reviews information system changes with the organization-defined circumstances.CM-5(3)SIGNED COMPONENTSDetermine if:CM-5(3)[1]the organization defines software and firmware components that the information system will prevent from being installed without verification that such components have been digitally signed using a certificate that is recognized and approved by the organization; andCM-5(3)[2]the information system prevents the installation of organization-defined software and firmware components without verification that such components have been digitally signed using a certificate that is recognized and approved by the organization.CM-5(4)DUAL AUTHORIZATIONDetermine if the organization:CM-5(4)[1]defines information system components and system-level information requiring dual authorization to be enforced when implementing changes; andCM-5(4)[2]enforces dual authorization for implementing changes to organization-defined information system components and system-level information.CM-5(5)LIMIT PRODUCTION / OPERATIONAL PRIVILEGESDetermine if the organization:CM-5(5)(a)limits privileges to change information system components and system-related information within a production or operational environment;CM-5(5)(b)CM-5(5)(b)[1]defines the frequency to review and reevaluate privileges; andCM-5(5)(b)[2]reviews and reevaluates privileges with the organization-defined frequency.CM-5(6)LIMIT LIBRARY PRIVILEGESDetermine if the organization limits privileges to change software resident within software libraries.CM-5(7)AUTOMATIC IMPLEMENTATION OF SECURITY SAFEGUARDSSI-7[Withdrawn: Incorporated into SI-7].CONFIGURATION MANAGEMENTCM-6CONFIGURATION SETTINGSDetermine if the organization:CM-6(a)CM-6(a)[1]defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed;CM-6(a)[2]ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements;CM-6(a)[3]establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists;CM-6(b)implements the configuration settings established/documented in CM-6(a);;CM-6(c)CM-6(c)[1]defines information system components for which any deviations from established configuration settings must be:CM-6(c)[1][a]identified;CM-6(c)[1][b]documented;CM-6(c)[1][c]approved;CM-6(c)[2]defines operational requirements to support:CM-6(c)[2][a]the identification of any deviations from established configuration settings;CM-6(c)[2][b]the documentation of any deviations from established configuration settings;CM-6(c)[2][c]the approval of any deviations from established configuration settings;CM-6(c)[3]identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;CM-6(c)[4]documents any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;CM-6(c)[5]approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;CM-6(d)CM-6(d)[1]monitors changes to the configuration settings in accordance with organizational policies and procedures; andCM-6(d)[2]controls changes to the configuration settings in accordance with organizational policies and procedures.CM-6(1)AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATIONDetermine if the organization:CM-6(1)[1]defines information system components for which automated mechanisms are to be employed to:CM-6(1)[1][a]centrally manage configuration settings of such components;CM-6(1)[1][b]apply configuration settings of such components;CM-6(1)[1][c]verify configuration settings of such components;CM-6(1)[2]employs automated mechanisms to:CM-6(1)[2][a]centrally manage configuration settings for organization-defined information system components;CM-6(1)[2][b]apply configuration settings for organization-defined information system components; andCM-6(1)[2][c]verify configuration settings for organization-defined information system components.CM-6(2)RESPOND TO UNAUTHORIZED CHANGESDetermine if the organization:CM-6(2)[1]defines configuration settings that, if modified by unauthorized changes, result in organizational security safeguards being employed to respond to such changes;CM-6(2)[2]defines security safeguards to be employed to respond to unauthorized changes to organization-defined configuration settings; andCM-6(2)[3]employs organization-defined security safeguards to respond to unauthorized changes to organization-defined configuration settings.CM-6(3)UNAUTHORIZED CHANGE DETECTIONSI-7[Withdrawn: Incorporated into SI-7].CM-6(4)CONFORMANCE DEMONSTRATIONCM-4[Withdrawn: Incorporated into CM-4].CONFIGURATION MANAGEMENTCM-7LEAST FUNCTIONALITYDetermine if the organization:CM-7(a)configures the information system to provide only essential capabilities;CM-7(b)CM-7(b)[1]defines prohibited or restricted:CM-7(b)[1][a]functions;CM-7(b)[1][b]ports;CM-7(b)[1][c]protocols; and/orCM-7(b)[1][d]services;CM-7(b)[2]prohibits or restricts the use of organization-defined:CM-7(b)[2][a]functions;CM-7(b)[2][b]ports;CM-7(b)[2][c]protocols; and/orCM-7(b)[2][d]services.CM-7(1)PERIODIC REVIEWDetermine if the organization:CM-7(1)(a)CM-7(1)(a)[1]defines the frequency to review the information system to identify unnecessary and/or nonsecure:CM-7(1)(a)[1][a]functions;CM-7(1)(a)[1][b]ports;CM-7(1)(a)[1][c]protocols; and/orCM-7(1)(a)[1][d]services;CM-7(1)(a)[2]reviews the information system with the organization-defined frequency to identify unnecessary and/or nonsecure:CM-7(1)(a)[2][a]functions;CM-7(1)(a)[2][b]ports;CM-7(1)(a)[2][c]protocols; and/orCM-7(1)(a)[2][d]services;CM-7(1)(b)CM-7(1)(b)[1]defines, within the information system, unnecessary and/or nonsecure:CM-7(1)(b)[1][a]functions;CM-7(1)(b)[1][b]ports;CM-7(1)(b)[1][c]protocols; and/orCM-7(1)(b)[1][d]services;CM-7(1)(b)[2]disables organization-defined unnecessary and/or nonsecure:CM-7(1)(b)[2][a]functions;CM-7(1)(b)[2][b]ports;CM-7(1)(b)[2][c]protocols; and/orCM-7(1)(b)[2][d]services.CM-7(2)PREVENT PROGRAM EXECUTIONDetermine if:CM-7(2)[1]the organization defines policies regarding software program usage and restrictions;CM-7(2)[2]the information system prevents program execution in accordance with one or more of the following:CM-7(2)[2][a]organization-defined policies regarding program usage and restrictions; and/orCM-7(2)[2][b]rules authorizing the terms and conditions of software program usage.CM-7(3)REGISTRATION COMPLIANCEDetermine if the organization:CM-7(3)[1]defines registration requirements for:CM-7(3)[1][a]functions;CM-7(3)[1][b]ports;CM-7(3)[1][c]protocols; and/orCM-7(3)[1][d]services;CM-7(3)[2]ensures compliance with organization-defined registration requirements for:CM-7(3)[2][a]functions;CM-7(3)[2][b]ports;CM-7(3)[2][c]protocols; and/orCM-7(3)[2][d]services.CM-7(4)UNAUTHORIZED SOFTWARE (BLACKLISTING)Determine if the organization:CM-7(4)(a)Identifies/defines software programs not authorized to execute on the information system;CM-7(4)(b)employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system;CM-7(4)(c)CM-7(4)(c)[1]defines the frequency to review and update the list of unauthorized software programs on the information system; andCM-7(4)(c)[2]reviews and updates the list of unauthorized software programs with the organization-defined frequency.CM-7(5)AUTHORIZED SOFTWARE (WHITELISTING)Determine if the organization:CM-7(5)(a)Identifies/defines software programs authorized to execute on the information system;CM-7(5)(b)employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system;CM-7(5)(c)CM-7(5)(c)[1]defines the frequency to review and update the list of authorized software programs on the information system; andCM-7(5)(c)[2]reviews and updates the list of authorized software programs with the organization-defined frequency.CONFIGURATION MANAGEMENTCM-8INFORMATION SYSTEM COMPONENT INVENTORYDetermine if the organization:CM-8(a)CM-8(a)(1)develops and documents an inventory of information system components that accurately reflects the current information system;CM-8(a)(2)develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system;CM-8(a)(3)develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting;CM-8(a)(4)CM-8(a)(4)[1]defines the information deemed necessary to achieve effective information system component accountability;CM-8(a)(4)[2]develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability;CM-8(b)CM-8(b)[1]defines the frequency to review and update the information system component inventory; andCM-8(b)[2]reviews and updates the information system component inventory with the organization-defined frequency.CM-8(1)UPDATES DURING INSTALLATIONS / REMOVALSDetermine if the organization updates the inventory of information system components as an integral part of:CM-8(1)[1]component installations;CM-8(1)[2]component removals; andCM-8(1)[3]information system updates.CM-8(2)AUTOMATED MAINTENANCEDetermine if the organization employs automated mechanisms to maintain an inventory of information system components that is:CM-8(2)[1]up-to-date;CM-8(2)[2]complete;CM-8(2)[3]accurate; andCM-8(2)[4]readily available.CM-8(3)AUTOMATED UNAUTHORIZED COMPONENT DETECTIONDetermine if the organization:CM-8(3)(a)CM-8(3)(a)[1]defines the frequency to employ automated mechanisms to detect the presence of unauthorized:CM-8(3)(a)[1][a]hardware components within the information system;CM-8(3)(a)[1][b]software components within the information system;CM-8(3)(a)[1][c]firmware components within the information system;CM-8(3)(a)[2]employs automated mechanisms with the organization-defined frequency to detect the presence of unauthorized:CM-8(3)(a)[2][a]hardware components within the information system;CM-8(3)(a)[2][b]software components within the information system;CM-8(3)(a)[2][c]firmware components within the information system;CM-8(3)(b)CM-8(3)(b)[1]defines personnel or roles to be notified when unauthorized components are detected;CM-8(3)(b)[2]takes one or more of the following actions when unauthorized components are detected:CM-8(3)(b)[2][a]disables network access by such components;CM-8(3)(b)[2][b]isolates the components; and/orCM-8(3)(b)[2][c]notifies organization-defined personnel or roles.CM-8(4)ACCOUNTABILITY INFORMATIONDetermine if the organization includes in the information system component inventory for information system components, a means for identifying the individuals responsible and accountable for administering those components by one or more of the following: CM-8(4)[1]name;CM-8(4)[2]position; and/orCM-8(4)[3]role.CM-8(5)NO DUPLICATE ACCOUNTING OF COMPONENTSDetermine if the organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories. CM-8(6)ASSESSED CONFIGURATIONS / APPROVED DEVIATIONSDetermine if the organization includes in the information system component inventory: CM-8(6)[1]assessed component configurations; andCM-8(6)[2]any approved deviations to current deployed configurations.CM-8(7)CENTRALIZED REPOSITORYDetermine if the organization provides a centralized repository for the inventory of information system components. CM-8(8)AUTOMATED LOCATION TRACKINGDetermine if the organization employs automated mechanisms to support tracking of information system components by geographic location. CM-8(9)ASSIGNMENT OF COMPONENTS TO SYSTEMSDetermine if the organization:CM-8(9)(a)CM-8(9)(a)[1]defines acquired information system components to be assigned to an information system; andCM-8(9)(a)[2]assigns organization-defined acquired information system components to an information system; andCM-8(9)(b)receives an acknowledgement from the information system owner of the assignment.CONFIGURATION MANAGEMENTCM-9CONFIGURATION MANAGEMENT PLANDetermine if the organization develops, documents, and implements a configuration management plan for the information system that:CM-9(a)CM-9(a)[1]addresses roles;CM-9(a)[2]addresses responsibilities;CM-9(a)[3]addresses configuration management processes and procedures;CM-9(b)establishes a process for:CM-9(b)[1]identifying configuration items throughout the SDLC;CM-9(b)[2]managing the configuration of the configuration items;CM-9(c)CM-9(c)[1]defines the configuration items for the information system;CM-9(c)[2]places the configuration items under configuration management;CM-9(d)protects the configuration management plan from unauthorized:CM-9(d)[1]disclosure; andCM-9(d)[2]modification.CM-9(1)ASSIGNMENT OF RESPONSIBILITYDetermine if the organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development. CONFIGURATION MANAGEMENTCM-10SOFTWARE USAGE RESTRICTIONSDetermine if the organization:CM-10(a)uses software and associated documentation in accordance with contract agreements and copyright laws;CM-10(b)tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; andCM-10(c)controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.CM-10(1)OPEN SOURCE SOFTWAREDetermine if the organization:CM-10(1)[1]defines restrictions on the use of open source software; andCM-10(1)[2]establishes organization-defined restrictions on the use of open source software.CONFIGURATION MANAGEMENTCM-11USER-INSTALLED SOFTWAREDetermine if the organization:CM-11(a)CM-11(a)[1]defines policies to govern the installation of software by users;CM-11(a)[2]establishes organization-defined policies governing the installation of software by users;CM-11(b)CM-11(b)[1]defines methods to enforce software installation policies;CM-11(b)[2]enforces software installation policies through organization-defined methods;CM-11(c)CM-11(c)[1]defines frequency to monitor policy compliance; andCM-11(c)[2]monitors policy compliance at organization-defined frequency.CM-11(1)ALERTS FOR UNAUTHORIZED INSTALLATIONSDetermine if:CM-11(1)[1]the organization defines personnel or roles to be alerted when the unauthorized installation of software is detected; andCM-11(1)[2]the information system alerts organization-defined personnel or roles when the unauthorized installation of software is detected.CM-11(2)PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUSDetermine if the information system prohibits user installation of software without explicit privileged status.CONTINGENCY PLANNINGCP-1CONTINGENCY PLANNING POLICY AND PROCEDURESDetermine if:CP-1(a)(1)CP-1(a)(1)[1]the organization develops and documents a contingency planning policy that addresses:CP-1(a)(1)[1][a]purpose;CP-1(a)(1)[1][b]scope;CP-1(a)(1)[1][c]roles;CP-1(a)(1)[1][d]responsibilities;CP-1(a)(1)[1][e]management commitment;CP-1(a)(1)[1][f]coordination among organizational entities;CP-1(a)(1)[1][g]compliance;CP-1(a)(1)[2]the organization defines personnel or roles to whom the contingency planning policy is to be disseminated;CP-1(a)(1)[3]the organization disseminates the contingency planning policy to organization-defined personnel or roles;CP-1(a)(2)CP-1(a)(2)[1]the organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls;CP-1(a)(2)[2]the organization defines personnel or roles to whom the procedures are to be disseminated;CP-1(a)(2)[3]the organization disseminates the procedures to organization-defined personnel or roles;CP-1(b)(1)CP-1(b)(1)[1]the organization defines the frequency to review and update the current contingency planning policy;CP-1(b)(1)[2]the organization reviews and updates the current contingency planning with the organization-defined frequency;CP-1(b)(2)CP-1(b)(2)[1]the organization defines the frequency to review and update the current contingency planning procedures; andCP-1(b)(2)[2]the organization reviews and updates the current contingency planning procedures with the organization-defined frequency.CONTINGENCY PLANNINGCP-2CONTINGENCY PLANDetermine if the organization:CP-2(a)develops and documents a contingency plan for the information system that:CP-2(a)(1)identifies essential missions and business functions and associated contingency requirements;CP-2(a)(2)CP-2(a)(2)[1]provides recovery objectives;CP-2(a)(2)[2]provides restoration priorities;CP-2(a)(2)[3]provides metrics;CP-2(a)(3)CP-2(a)(3)[1]addresses contingency roles;CP-2(a)(3)[2]addresses contingency responsibilities;CP-2(a)(3)[3]addresses assigned individuals with contact information;CP-2(a)(4)addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;CP-2(a)(5)addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented;CP-2(a)(6)CP-2(a)(6)[1]defines personnel or roles to review and approve the contingency plan for the information system;CP-2(a)(6)[2]is reviewed and approved by organization-defined personnel or roles;CP-2(b)CP-2(b)[1]defines key contingency personnel (identified by name and/or by role) and organizational elements to whom copies of the contingency plan are to be distributed;CP-2(b)[2]distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements;CP-2(c)coordinates contingency planning activities with incident handling activities;CP-2(d)CP-2(d)[1]defines a frequency to review the contingency plan for the information system;CP-2(d)[2]reviews the contingency plan with the organization-defined frequency;CP-2(e)updates the contingency plan to address:CP-2(e)[1]changes to the organization, information system, or environment of operation;CP-2(e)[2]problems encountered during plan implementation, execution, and testing;CP-2(f)CP-2(f)[1]defines key contingency personnel (identified by name and/or by role) and organizational elements to whom contingency plan changes are to be communicated;CP-2(f)[2]communicates contingency plan changes to organization-defined key contingency personnel and organizational elements; andCP-2(g)protects the contingency plan from unauthorized disclosure and modification.CP-2(1)COORDINATE WITH RELATED PLANSDetermine if the organization coordinates contingency plan development with organizational elements responsible for related plans.CP-2(2)CAPACITY PLANNINGDetermine if the organization conducts capacity planning so that necessary capacity exists during contingency operations for: CP-2(2)[1]information processing;CP-2(2)[2]telecommunications; andCP-2(2)[3]environmental support.CP-2(3)RESUME ESSENTIAL MISSIONS/BUSINESS FUNCTIONSDetermine if the organization:CP-2(3)[1]defines the time period to plan for the resumption of essential missions and business functions as a result of contingency plan activation; andCP-2(3)[2]plans for the resumption of essential missions and business functions within organization-defined time period of contingency plan activation.CP-2(4)RESUME ALL MISSIONS / BUSINESS FUNCTIONSDetermine if the organization:CP-2(4)[1]defines the time period to plan for the resumption of all missions and business functions as a result of contingency plan activation; andCP-2(4)[2]plans for the resumption of all missions and business functions within organization-defined time period of contingency plan activation.CP-2(5)CONTINUE ESSENTIAL MISSIONS / BUSINESS FUNCTIONSDetermine if the organization:CP-2(5)[1]plans for the continuance of essential missions and business functions with little or no loss of operational continuity; andCP-2(5)[2]sustains that operational continuity until full information system restoration at primary processing and/or storage sites.CP-2(6)ALTERNATE PROCESSING / STORAGE SITEDetermine if the organization:CP-2(6)[1]plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity; andCP-2(6)[2]sustains that operational continuity through information system restoration to primary processing and/or storage sites.CP-2(7)COORDINATE WITH EXTERNAL SERVICE PROVIDERSDetermine if the organization coordinates its contingency plan with the contingency plans of external service provides to ensure contingency requirements can be satisfied. CP-2(8)IDENTIFY CRITICAL ASSETSDetermine if the organization identifies critical information system assets supporting essential missions and business functions.CONTINGENCY PLANNINGCP-3CONTINGENCY TRAININGDetermine if the organization:CP-3(a)CP-3(a)[1]defines a time period within which contingency training is to be provided to information system users assuming a contingency role or responsibility;CP-3(a)[2]provides contingency training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming a contingency role or responsibility;CP-3(b)provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes;CP-3(c)CP-3(c)[1]defines the frequency for contingency training thereafter; andCP-3(c)[2]provides contingency training to information system users consistent with assigned roles and responsibilities with the organization-defined frequency thereafter.CP-3(1)SIMULATED EVENTSDetermine if the organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.CP-3(2)AUTOMATED TRAINING ENVIRONMENTSDetermine if the organization employs automated mechanisms to provide a more thorough and realistic contingency training environment.CONTINGENCY PLANNINGCP-4CONTINGENCY PLAN TESTINGDetermine if the organization: CP-4(a)CP-4(a)[1]defines tests to determine the effectiveness of the contingency plan and the organizational readiness to execute the plan;CP-4(a)[2]defines a frequency to test the contingency plan for the information system;CP-4(a)[3]tests the contingency plan for the information system with the organization-defined frequency, using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan;CP-4(b)reviews the contingency plan test results; andCP-4(c)initiates corrective actions, if needed.CP-4(1)COORDINATE WITH RELATED PLANSDetermine if the organization coordinates contingency plan testing with organizational elements responsible for related plans. CP-4(2)ALTERNATE PROCESSING SITEDetermine if the organization tests the contingency plan at the alternate processing site to:CP-4(2)(a)familiarize contingency personnel with the facility and available resources; andCP-4(2)(b)evaluate the capabilities of the alternate processing site to support contingency operations.CP-4(3)AUTOMATED TESTINGDetermine if the organization employs automated mechanisms to more thoroughly and effectively test the contingency plan. CP-4(4)FULL RECOVERY / RECONSTITUTIONDetermine if the organization: CP-4(4)[1]includes a full recovery of the information system to a known state as part of contingency plan testing; andCP-4(4)[2]includes a full reconstitution of the information system to a known state as part of contingency plan testing.CONTINGENCY PLANNINGCP-5CONTINGENCY PLAN UPDATECP-2[Withdrawn: Incorporated into CP-2].CONTINGENCY PLANNINGCP-6ALTERNATE STORAGE SITEDetermine if the organization: CP-6[1]establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; andCP-6[2]ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.CP-6(1)SEPARATION FROM PRIMARY SITEDetermine if the organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. CP-6(2)RECOVERY TIME / POINT OBJECTIVESDetermine if the organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time objectives and recovery point objectives (as specified in the information system contingency plan).CP-6(3)ACCESSIBILITYDetermine if the organization: CP-6(3)[1]identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster; andCP-6(3)[2]outlines explicit mitigation actions for such potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.CONTINGENCY PLANNINGCP-7ALTERNATE PROCESSING SITEDetermine if the organization: CP-7(a)CP-7(a)[1]defines information system operations requiring an alternate processing site to be established to permit the transfer and resumption of such operations;CP-7(a)[2]defines the time period consistent with recovery time objectives and recovery point objectives (as specified in the information system contingency plan) for transfer/resumption of organization-defined information system operations for essential missions/business functions;CP-7(a)[3]establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions, within the organization-defined time period, when the primary processing capabilities are unavailable;CP-7(b)CP-7(b)[1]ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site; orCP-7(b)[2]ensures that contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; andCP-7(c)ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.CP-7(1)SEPARATION FROM PRIMARY SITEDetermine if the organization identifies an alternate processing site that is separated from the primary storage site to reduce susceptibility to the same threats. CP-7(2)ACCESSIBILITYDetermine if the organization: CP-7(2)[1]identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster; andCP-7(2)[2]outlines explicit mitigation actions for such potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.CP-7(3)PRIORITY OF SERVICEDetermine if the organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan).CP-7(4)PREPARATION FOR USEDetermine if the organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions.CP-7(5)EQUIVALENT INFORMATION SECURITY SAFEGUARDSCP-7[Withdrawn: Incorporated into CP-7].CP-7(6)INABILITY TO RETURN TO PRIMARY SITEDetermine if the organization plans and prepares for circumstances that preclude returning to the primary processing site.CONTINGENCY PLANNINGCP-8TELECOMMUNICATIONS SERVICESDetermine if the organization: CP-8[1]defines information system operations requiring alternate telecommunications services to be established to permit the resumption of such operations;CP-8[2]defines the time period to permit resumption of organization-defined information system operations for essential missions and business functions; andCP-8[3]establishes alternate telecommunications services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions and business functions, within the organization-defined time period, when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.CP-8(1)PRIORITY OF SERVICE PROVISIONSDetermine if the organization: CP-8(1)[1]develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan); andCP-8(1)[2]requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.CP-8(2)SINGLE POINTS OF FAILUREDetermine if the organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. CP-8(3)SEPARATION OF PRIMARY / ALTERNATE PROVIDERSDetermine if the organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. CP-8(4)PROVIDER CONTINGENCY PLANDetermine if the organization: CP-8(4)(a)CP-8(4)(a)[1]requires primary telecommunications service provider to have contingency plans;CP-8(4)(a)[2]requires alternate telecommunications service provider(s) to have contingency plans;CP-8(4)(b)reviews provider contingency plans to ensure that the plans meet organizational contingency requirements;CP-8(4)(c)CP-8(4)(c)[1]defines the frequency to obtain evidence of contingency testing/training by providers; andCP-8(4)(c)[2]obtains evidence of contingency testing/training by providers with the organization-defined frequency.CP-8(5)ALTERNATE TELECOMMUNICATION SERVICE TESTINGDetermine if the organization: CP-8(5)[1]defines the frequency to test alternate telecommunication services; andCP-8(5)[2]tests alternate telecommunication services with the organization-defined frequency.CONTINGENCY PLANNINGCP-9INFORMATION SYSTEM BACKUPDetermine if the organization: CP-9(a)CP-9(a)[1]defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system;CP-9(a)[2]conducts backups of user-level information contained in the information system with the organization-defined frequency;CP-9(b)CP-9(b)[1]defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system;CP-9(b)[2]conducts backups of system-level information contained in the information system with the organization-defined frequency;CP-9(c)CP-9(c)[1]defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation;CP-9(c)[2]conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency; andCP-9(d)protects the confidentiality, integrity, and availability of backup information at storage locations.CP-9(1)TESTING FOR RELIABILITY / INTEGRITYDetermine if the organization: CP-9(1)[1]defines the frequency to test backup information to verify media reliability and information integrity; andCP-9(1)[2]tests backup information with the organization-defined frequency to verify media reliability and information integrity.CP-9(2)TEST RESTORATION USING SAMPLINGDetermine if the organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing. CP-9(3)SEPARATE STORAGE FOR CRITICAL INFORMATIONDetermine if the organization: CP-9(3)[1]CP-9(3)[1][a]defines critical information system software and other security-related information requiring backup copies to be stored in a separate facility; orCP-9(3)[1][b]defines critical information system software and other security-related information requiring backup copies to be stored in a fire-rated container that is not collocated with the operational system; andCP-9(3)[2]stores backup copies of organization-defined critical information system software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the operational system.CP-9(4)PROTECTION FROM UNAUTHORIZED MODIFICATIONCP-9[Withdrawn: Incorporated into CP-9].CP-9(5)TRANSFER TO ALTERNATE STORAGE SITEDetermine if the organization: CP-9(5)[1]defines a time period, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to transfer information system backup information to the alternate storage site;CP-9(5)[2]defines a transfer rate, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to transfer information system backup information to the alternate storage site; andCP-9(5)[3]transfers information system backup information to the alternate storage site with the organization-defined time period and transfer rate.CP-9(6)REDUNDANT SECONDARY SYSTEMDetermine if the organization accomplishes information system backup by maintaining a redundant secondary system that: CP-9(6)[1]is not collocated with the primary system; andCP-9(6)[2]can be activated without loss of information or disruption to operations.CP-9(7)DUAL AUTHORIZATIONDetermine if the organization:CP-9(7)[1]defines backup information that requires dual authorization to be enforced for the deletion or destruction of such information; andCP-9(7)[2]enforces dual authorization for the deletion or destruction of organization-defined backup information.CONTINGENCY PLANNINGCP-10INFORMATION SYSTEM RECOVERY AND RECONSTITUTIONDetermine if the organization provides for: CP-10[1]the recovery of the information system to a known state after:CP-10[1][a]a disruption;CP-10[1][b]a compromise; orCP-10[1][c]a failure;CP-10[2]the reconstitution of the information system to a known state after:CP-10[2][a]a disruption;CP-10[2][b]a compromise; orCP-10[2][c]a failure.CP-10(1)CONTINGENCY PLAN TESTINGCP-4[Withdrawn: Incorporated into CP-4].CP-10(2)TRANSACTION RECOVERYDetermine if the information system implements transaction recovery for systems that are transaction-based. CP-10(3)COMPENSATING SECURITY CONTROLS800-53 Rev. 4 - Chapter 3[Withdrawn: Addressed through tailoring procedures].CP-10(4)RESTORE WITHIN TIME PERIODDetermine if the organization: CP-10(4)[1]defines a time period to restore information system components from configuration-controlled and integrity-protected information representing a known, operational state for the components; andCP-10(4)[2]provides the capability to restore information system components within the organization-defined time period from configuration-controlled and integrity-protected information representing a known, operational state for the components.CP-10(5)FAILOVER CAPABILITYSI-13[Withdrawn: Incorporated into SI-13].CP-10(6)COMPONENT PROTECTIONDetermine if the organization protects backup and restoration: CP-10(6)[1]hardware;CP-10(6)[2]firmware; andCP-10(6)[3]software.CONTINGENCY PLANNINGCP-11ALTERNATE COMMUNICATIONS PROTOCOLSDetermine if:CP-11[1]the organization defines alternative communications protocols to be employed in support of maintaining continuity of operations; andCP-11[2]the information system provides the capability to employ organization-defined alternative communications protocols in support of maintaining continuity of operations.CONTINGENCY PLANNINGCP-12SAFE MODEDetermine if: CP-12[1]the organization defines conditions that, when detected, requires the information system to enter a safe mode of operation;CP-12[2]the organization defines restrictions of safe mode of operation; andCP-12[3]the information system, when organization-defined conditions are detected, enters a safe mode of operation with organization-defined restrictions of safe mode of operation.CONTINGENCY PLANNINGCP-13ALTERNATIVE SECURITY MECHANISMSDetermine if the organization:CP-13[1]defines alternative or supplemental security mechanisms to be employed when the primary means of implementing the security function is unavailable or compromised;CP-13[2]defines security functions to be satisfied using organization-defined alternative or supplemental security mechanisms when the primary means of implementing the security function is unavailable or compromised; andCP-13[3]employs organization-defined alternative or supplemental security mechanisms satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised.IDENTIFICATION AND AUTHENTICATIONIA-1IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURESDetermine if the organization:IA-1(a)(1)IA-1(a)(1)[1]develops and documents an identification and authentication policy that addresses:IA-1(a)(1)[1][a]purpose;IA-1(a)(1)[1][b]scope;IA-1(a)(1)[1][c]roles;IA-1(a)(1)[1][d]responsibilities;IA-1(a)(1)[1][e]management commitment;IA-1(a)(1)[1][f]coordination among organizational entities;IA-1(a)(1)[1][g]compliance;IA-1(a)(1)[2]defines personnel or roles to whom the identification and authentication policy is to be disseminated; andIA-1(a)(1)[3]disseminates the identification and authentication policy to organization-defined personnel or roles;IA-1(a)(2)IA-1(a)(2)[1]develops and documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls;IA-1(a)(2)[2]defines personnel or roles to whom the procedures are to be disseminated;IA-1(a)(2)[3]disseminates the procedures to organization-defined personnel or roles;IA-1(b)(1)IA-1(b)(1)[1]defines the frequency to review and update the current identification and authentication policy;IA-1(b)(1)[2]reviews and updates the current identification and authentication policy with the organization-defined frequency; andIA-1(b)(2)IA-1(b)(2)[1]defines the frequency to review and update the current identification and authentication procedures; andIA-1(b)(2)[2]reviews and updates the current identification and authentication procedures with the organization-defined frequency.IDENTIFICATION AND AUTHENTICATIONIA-2IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).IA-2(1)NETWORK ACCESS TO PRIVILEGED ACCOUNTSDetermine if the information system implements multifactor authentication for network access to privileged accounts.IA-2(2)NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTSDetermine if the information system implements multifactor authentication for network access to non-privileged accounts.IA-2(3)LOCAL ACCESS TO PRIVILEGED ACCOUNTSDetermine if the information system implements multifactor authentication for local access to privileged accounts.IA-2(4)LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTSDetermine if the information system implements multifactor authentication for local access to non-privileged accounts.IA-2(5)GROUP AUTHENTICATIONDetermine if the organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.IA-2(6)NETWORK ACCESS TO PRIVILEGED ACCOUNTS –SEPARATE DEVICEDetermine if: IA-2(6)[1]the information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access;IA-2(6)[2]the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining network access to privileged accounts; andIA-2(6)[3]the information system implements multifactor authentication for network access to privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements.IA-2(7)NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS –SEPARATE DEVICEDetermine if: IA-2(7)[1]the information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access;IA-2(7)[2]the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining network access to non-privileged accounts; andIA-2(7)[3]the information system implements multifactor authentication for network access to non-privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements.IA-2(8)NETWORK ACCESS TO PRIVILEGED ACCOUNTS – REPLAY RESISTANTDetermine if the information system implements replay-resistant authentication mechanisms for network access to privileged accounts. IA-2(9)NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS – REPLAY RESISTANTDetermine if the information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. IA-2(10)SINGLE SIGN-ONDetermine if: IA-2(10)[1]the organization defines a list of information system accounts and services for which a single sign-on capability must be provided; andIA-2(10)[2]the information system provides a single sign-on capability for organization-defined information system accounts and services.IA-2(11)REMOTE ACCESS – SEPARATE DEVICEDetermine if: IA-2(11)[1]the information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access;IA-2(11)[2]the information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access;IA-2(11)[3]the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to privileged accounts;IA-2(11)[4]the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to non-privileged accounts;IA-2(11)[5]the information system implements multifactor authentication for remote access to privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements; andIA-2(11)[6]the information system implements multifactor authentication for remote access to non-privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements.IA-2(12)ACCEPTANCE OF PIV CREDENTIALSDetermine if the information system: IA-2(12)[1]accepts Personal Identity Verification (PIV) credentials; andIA-2(12)[2]electronically verifies Personal Identity Verification (PIV) credentials.IA-2(13)OUT-OF-BAND AUTHENTICATIONDetermine if: IA-2(13)[1]the organization defines out-of-band authentication to be implemented by the information system;IA-2(13)[2]the organization defines conditions under which the information system implements organization-defined out-of-band authentication; andIA-2(13)[3]the information system implements organization-defined out-of-band authentication under organization-defined conditions.IDENTIFICATION AND AUTHENTICATIONIA-3DEVICE IDENTIFICATION AND AUTHENTICATIONDetermine if: IA-3[1]the organization defines specific and/or types of devices that the information system uniquely identifies and authenticates before establishing one or more of the following:IA-3[1][a]a local connection;IA-3[1][b]a remote connection; and/orIA-3[1][c]a network connection; andIA-3[2]the information system uniquely identifies and authenticates organization-defined devices before establishing one or more of the following:IA-3[2][a]a local connection;IA-3[2][b]a remote connection; and/orIA-3[2][c]a network connection.IA-3(1)CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATIONDetermine if: IA-3(1)[1]the organization defines specific and/or types of devices requiring use of cryptographically based, bidirectional authentication to authenticate before establishing one or more of the following:IA-3(1)[1][a]a local connection;IA-3(1)[1][b]a remote connection; and/orIA-3(1)[1][c]a network connection;IA-3(1)[2]the information system uses cryptographically based bidirectional authentication to authenticate organization-defined devices before establishing one or more of the following:IA-3(1)[2][a]a local connection;IA-3(1)[2][b]a remote connection; and/orIA-3(1)[2][c]a network connection.IA-3(2)CRYPTOGRAPHIC BIDIRECTIONAL NETWORK AUTHENTICATIONIA-3(1)[Withdrawn: Incorporated into IA-3(1)].IA-3(3)DYNAMIC ADDRESS ALLOCATIONDetermine if the organization: IA-3(3)(a)IA-3(3)(a)[1]defines lease information to be employed to standardize dynamic address allocation for devices;IA-3(3)(a)[2]defines lease duration to be employed to standardize dynamic address allocation for devices;IA-3(3)(a)[3]standardizes dynamic address allocation of lease information assigned to devices in accordance with organization-defined lease information;IA-3(3)(a)[4]standardizes dynamic address allocation of the lease duration assigned to devices in accordance with organization-defined lease duration; andIA-3(3)(b)audits lease information when assigned to a device.IA-3(4)DEVICE ATTESTATIONDetermine if the organization: IA-3(4)[1]defines configuration management process to be employed to handle device identification and authentication based on attestation; andIA-3(4)[2]ensures that device identification and authentication based on attestation is handled by organization-defined configuration management process.IDENTIFICATION AND AUTHENTICATIONIA-4IDENTIFIER MANAGEMENTDetermine if the organization manages information system identifiers by: IA-4(a)IA-4(a)[1]defining personnel or roles from whom authorization must be received to assign:IA-4(a)[1][a]an individual identifier;IA-4(a)[1][b]a group identifier;IA-4(a)[1][c]a role identifier; and/orIA-4(a)[1][d]a device identifier;IA-4(a)[2]receiving authorization from organization-defined personnel or roles to assign:IA-4(a)[2][a]an individual identifier;IA-4(a)[2][b]a group identifier;IA-4(a)[2][c]a role identifier; and/orIA-4(a)[2][d]a device identifier;IA-4(b)selecting an identifier that identifies:IA-4(b)[1]an individual;IA-4(b)[2]a group;IA-4(b)[3]a role; and/orIA-4(b)[4]a device;IA-4(c)assigning the identifier to the intended:IA-4(c)[1]individual;IA-4(c)[2]group;IA-4(c)[3]role; and/orIA-4(c)[4]device;IA-4(d)IA-4(d)[1]defining a time period for preventing reuse of identifiers;IA-4(d)[2]preventing reuse of identifiers for the organization-defined time period;IA-4(e)IA-4(e)[1]defining a time period of inactivity to disable the identifier; andIA-4(e)[2]disabling the identifier after the organization-defined time period of inactivity.IA-4(1)PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC IDENTIFIERSDetermine if the organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts. IA-4(2)SUPERVISOR AUTHORIZATIONDetermine if the organization requires that the registration process to receive an individual identifier includes supervisor authorization. IA-4(3)MULTIPLE FORMS OF CERTIFICATIONDetermine if the organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority.IA-4(4)IDENTIFY USER STATUSDetermine if the organization: IA-4(4)[1]defines a characteristic to be used to identify individual status; andIA-4(4)[2]manages individual identifiers by uniquely identifying each individual as the organization-defined characteristic identifying individual status.IA-4(5)DYNAMIC MANAGEMENTDetermine if the information system dynamically manages identifiers. IA-4(6)CROSS-ORGANIZATION MANAGEMENTDetermine if the organization: IA-4(6)[1]defines external organizations with whom to coordinate cross-organization management of identifiers; andIA-4(6)[2]coordinates with organization-defined external organizations for cross-organization management of identifiers.IA-4(7)IN-PERSON REGISTRATIONDetermine if the organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority. IDENTIFICATION AND AUTHENTICATIONIA-5AUTHENTICATOR MANAGEMENTDetermine if the organization manages information system authenticators by: IA-5(a)verifying, as part of the initial authenticator distribution, the identity of:IA-5(a)[1]the individual receiving the authenticator;IA-5(a)[2]the group receiving the authenticator;IA-5(a)[3]the role receiving the authenticator; and/orIA-5(a)[4]the device receiving the authenticator;IA-5(b)establishing initial authenticator content for authenticators defined by the organization;IA-5(c)ensuring that authenticators have sufficient strength of mechanism for their intended use;IA-5(d)IA-5(d)[1]establishing and implementing administrative procedures for initial authenticator distribution;IA-5(d)[2]establishing and implementing administrative procedures for lost/compromised or damaged authenticators;IA-5(d)[3]establishing and implementing administrative procedures for revoking authenticators;IA-5(e)changing default content of authenticators prior to information system installation;IA-5(f)IA-5(f)[1]establishing minimum lifetime restrictions for authenticators;IA-5(f)[2]establishing maximum lifetime restrictions for authenticators;IA-5(f)[3]establishing reuse conditions for authenticators;IA-5(g)IA-5(g)[1]defining a time period (by authenticator type) for changing/refreshing authenticators;IA-5(g)[2]changing/refreshing authenticators with the organization-defined time period by authenticator type;IA-5(h)protecting authenticator content from unauthorized:IA-5(h)[1]disclosure;IA-5(h)[2]modification;IA-5(i)IA-5(i)[1]requiring individuals to take specific security safeguards to protect authenticators;IA-5(i)[2]having devices implement specific security safeguards to protect authenticators; andIA-5(j)changing authenticators for group/role accounts when membership to those accounts changes.IA-5(1)PASSWORD-BASED AUTHENTICATIONDetermine if, for password-based authentication: IA-5(1)(a)IA-5(1)(a)[1]the organization defines requirements for case sensitivity;IA-5(1)(a)[2]the organization defines requirements for number of characters;IA-5(1)(a)[3]the organization defines requirements for the mix of upper-case letters, lower-case letters, numbers and special characters;IA-5(1)(a)[4]the organization defines minimum requirements for each type of character;IA-5(1)(a)[5]the information system enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;IA-5(1)(b)IA-5(1)(b)[1]the organization defines a minimum number of changed characters to be enforced when new passwords are created;IA-5(1)(b)[2]the information system enforces at least the organization-defined minimum number of characters that must be changed when new passwords are created;IA-5(1)(c)the information system stores and transmits only encrypted representations of passwords;IA-5(1)(d)IA-5(1)(d)[1]the organization defines numbers for password minimum lifetime restrictions to be enforced for passwords;IA-5(1)(d)[2]the organization defines numbers for password maximum lifetime restrictions to be enforced for passwords;IA-5(1)(d)[3]the information system enforces password minimum lifetime restrictions of organization-defined numbers for lifetime minimum;IA-5(1)(d)[4]the information system enforces password maximum lifetime restrictions of organization-defined numbers for lifetime maximum;IA-5(1)(e)IA-5(1)(e)[1]the organization defines the number of password generations to be prohibited from password reuse;IA-5(1)(e)[2]the information system prohibits password reuse for the organization-defined number of generations; andIA-5(1)(f)the information system allows the use of a temporary password for system logons with an immediate change to a permanent password.IA-5(2)PKI-BASED AUTHENTICATIONDetermine if the information system, for PKI-based authentication: IA-5(2)(a)IA-5(2)(a)[1]validates certifications by constructing a certification path to an accepted trust anchor;IA-5(2)(a)[2]validates certifications by verifying a certification path to an accepted trust anchor;IA-5(2)(a)[3]includes checking certificate status information when constructing and verifying the certification path;IA-5(2)(b)enforces authorized access to the corresponding private key;IA-5(2)(c)maps the authenticated identity to the account of the individual or group; andIA-5(2)(d)implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.IA-5(3)IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATIONDetermine if the organization: IA-5(3)[1]defines types of and/or specific authenticators to be received in person or by a trusted third party;IA-5(3)[2]defines the registration authority with oversight of the registration process for receipt of organization-defined types of and/or specific authenticators;IA-5(3)[3]defines personnel or roles responsible for authorizing organization-defined registration authority;IA-5(3)[4]defines if the registration process is to be conducted:IA-5(3)[4][a]in person; orIA-5(3)[4][b]by a trusted third party; andIA-5(3)[5]requires that the registration process to receive organization-defined types of and/or specific authenticators be conducted in person or by a trusted third party before organization-defined registration authority with authorization by organization-defined personnel or roles.IA-5(4)AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATIONDetermine if the organization: IA-5(4)[1]defines requirements to be satisfied by password authenticators; andIA-5(4)[2]employs automated tools to determine if password authenticators are sufficiently strong to satisfy organization-defined requirements.IA-5(5)CHANGE AUTHENTICATORS PRIOR TO DELIVERYDetermine if the organization requires developers/installers of information system components to: IA-5(5)[1]provide unique authenticators prior to delivery/installation; orIA-5(5)[2]change default authenticators prior to delivery/installation.IA-5(6)PROTECTION OF AUTHENTICATORSDetermine if the organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.IA-5(7)NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORSDetermine if the organization ensures that unencrypted static authenticators are not: IA-5(7)[1]embedded in applications;IA-5(7)[2]embedded in access scripts; orIA-5(7)[3]stored on function keys.IA-5(8)MULTIPLE INFORMATION SYSTEM ACCOUNTSDetermine if the organization: IA-5(8)[1]defines security safeguards to manage the risk of compromise due to individuals having accounts on multiple information systems; andIA-5(8)[2]implements organization-defined security safeguards to manage the risk of compromise due to individuals having accounts on multiple information systems.IA-5(9)CROSS-ORGANIZATIONAL CREDENTIAL MANAGEMENTDetermine if the organization: IA-5(9)[1]defines external organizations with whom to coordinate cross-organizational management of credentials; andIA-5(9)[2]coordinates with organization-defined external organizations for cross-organizational management of credentials.IA-5(10)DYNAMIC CREDENTIAL ASSOCIATIONDetermine if the information system dynamically provisions identifiers.IA-5(11)HARDWARE TOKEN-BASED AUTHENTICATIONDetermine if, for hardware token-based authentication: IA-5(11)[1]the organization defines token quality requirements to be satisfied; andIA-5(11)[2]the information system employs mechanisms that satisfy organization-defined token quality requirements.IA-5(12)BIOMETRIC AUTHENTICATIONDetermine if, for biometric-based authentication: IA-5(12)[1]the organization defines biometric quality requirements to be satisfied; andIA-5(12)[2]the information system employs mechanisms that satisfy organization-defined biometric quality requirements.IA-5(13)EXPIRATION OF CACHED AUTHENTICATORSDetermine if: IA-5(13)[1]the organization defines the time period after which the information system is to prohibit the use of cached authenticators; andIA-5(13)[2]the information system prohibits the use of cached authenticators after the organization-defined time period.IA-5(14)MANAGING CONTENT OF PKI TRUST STORESDetermine if the organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including: IA-5(14)[1]networks;IA-5(14)[2]operating systems;IA-5(14)[3]browsers; andIA-5(14)[4]applications.IA-5(15)FICAM-APPROVED PRODUCTS AND SERVICESDetermine if the organization uses only FICAM-approved path discovery and validation products and services.IDENTIFICATION AND AUTHENTICATIONIA-6AUTHENTICATOR FEEDBACKDetermine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.IDENTIFICATION AND AUTHENTICATIONIA-7CRYPTOGRAPHIC MODULE AUTHENTICATIONDetermine if the information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.IDENTIFICATION AND AUTHENTICATIONIA-8IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).IA-8(1)ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIESDetermine if the information system: IA-8(1)[1]accepts Personal Identity Verification (PIV) credentials from other agencies; andIA-8(1)[2]electronically verifies Personal Identity Verification (PIV) credentials from other agencies.IA-8(2)ACCEPTANCE OF THIRD-PARTY CREDENTIALSDetermine if the information system accepts only FICAM-approved third-party credentials. IA-8(3)USE OF FICAM-APPROVED PRODUCTSDetermine if the organization: IA-8(3)[1]defines information systems in which only FICAM-approved information system components are to be employed to accept third-party credentials; andIA-8(3)[2]employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials.IA-8(4)USE OF FICAM-ISSUED PROFILESDetermine if the information system conforms to FICAM-issued profiles. IA-8(5)ACCEPTANCE OF PIV-I CREDENTIALSDetermine if the information system: IA-8(5)[1]accepts Personal Identity Verification-I (PIV-I) credentials; andIA-8(5)[2]electronically verifies Personal Identity Verification-I (PIV-I) credentials.IDENTIFICATION AND AUTHENTICATIONIA-9SERVICE IDENTIFICATION AND AUTHENTICATIONDetermine if the organization: IA-9[1]defines information system services to be identified and authenticated using security safeguards;IA-9[2]defines security safeguards to be used to identify and authenticate organization-defined information system services; andIA-9[3]identifies and authenticates organization-defined information system services using organization-defined security safeguards.IA-9(1)INFORMATION EXCHANGEDetermine if the organization ensures that service providers: IA-9(1)[1]receive identification and authentication information;IA-9(1)[2]validate identification and authentication information; andIA-9(1)[3]transmit identification and authentication information.IA-9(2)TRANSMISSION OF DECISIONSDetermine if the organization: IA-9(2)[1]defines services for which identification and authentication decisions transmitted between such services are to be consistent with organizational policies; andIA-9(2)[2]ensures that identification and authentication decisions are transmitted between organization-defined services consistent with organizational policies.IDENTIFICATION AND AUTHENTICATIONIA-10ADAPTIVE IDENTIFICATION AND AUTHENTICATIONDetermine if the organization: IA-10[1]defines specific circumstances or situations that require individuals accessing the information system to employ supplemental authentication techniques or mechanisms;IA-10[2]defines supplemental authentication techniques or mechanisms to be employed when accessing the information system under specific organization-defined circumstances or situations; andIA-10[3]requires that individuals accessing the information system employ organization-defined supplemental authentication techniques or mechanisms under specific organization-defined circumstances or situations.IDENTIFICATION AND AUTHENTICATIONIA-11RE-AUTHENTICATIONDetermine if the organization: IA-11[1]defines circumstances or situations requiring re-authentication;IA-11[2]requires users to re-authenticate when organization-defined circumstances or situations require re-authentication; andIA-11[3]requires devices to re-authenticate when organization-defined circumstances or situations require re-authentication.INCIDENT RESPONSEIR-1INCIDENT RESPONSE POLICY AND PROCEDURESDetermine if the organization:IR-1(a)(1)IR-1(a)(1)[1]develops and documents an incident response policy that addresses:IR-1(a)(1)[1][a]purpose;IR-1(a)(1)[1][b]scope;IR-1(a)(1)[1][c]roles;IR-1(a)(1)[1][d]responsibilities;IR-1(a)(1)[1][e]management commitment;IR-1(a)(1)[1][f]coordination among organizational entities;IR-1(a)(1)[1][g]compliance;IR-1(a)(1)[2]defines personnel or roles to whom the incident response policy is to be disseminated;IR-1(a)(1)[3]disseminates the incident response policy to organization-defined personnel or roles;IR-1(a)(2)IR-1(a)(2)[1]develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls;IR-1(a)(2)[2]defines personnel or roles to whom the procedures are to be disseminated;IR-1(a)(2)[3]disseminates the procedures to organization-defined personnel or roles;IR-1(b)(1)IR-1(b)(1)[1]defines the frequency to review and update the current incident response policy;IR-1(b)(1)[2]reviews and updates the current incident response policy with the organization-defined frequency;IR-1(b)(2)IR-1(b)(2)[1]defines the frequency to review and update the current incident response procedures; andIR-1(b)(2)[2]reviews and updates the current incident response procedures with the organization-defined frequency.INCIDENT RESPONSEIR-2INCIDENT RESPONSE TRAININGDetermine if the organization:IR-2(a)IR-2(a)[1]defines a time period within which incident response training is to be provided to information system users assuming an incident response role or responsibility;IR-2(a)[2]provides incident response training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming an incident response role or responsibility;IR-2(b)provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes;IR-2(c)IR-2(c)[1]defines the frequency to provide refresher incident response training to information system users consistent with assigned roles or responsibilities; andIR-2(c)[2]after the initial incident response training, provides refresher incident response training to information system users consistent with assigned roles and responsibilities in accordance with the organization-defined frequency to provide refresher training.IR-2(1)SIMULATED EVENTSDetermine if the organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations. IR-2(2)AUTOMATED TRAINING ENVIRONMENTSDetermine if the organization employs automated mechanisms to provide a more thorough and realistic incident response training environment. INCIDENT RESPONSEIR-3INCIDENT RESPONSE TESTINGDetermine if the organization: IR-3[1]defines incident response tests to test the incident response capability for the information system;IR-3[2]defines the frequency to test the incident response capability for the information system; andIR-3[3]tests the incident response capability for the information system with the organization-defined frequency, using organization-defined tests to determine the incident response effectiveness and documents the results.IR-3(1)AUTOMATED TESTINGDetermine if the organization employs automated mechanisms to more thoroughly and effectively test the incident response capability.IR-3(2)COORDINATION WITH RELATED PLANSDetermine if the organization coordinates incident response testing with organizational elements responsible for related plans. INCIDENT RESPONSEIR-4INCIDENT HANDLINGDetermine if the organization:IR-4(a)implements an incident handling capability for security incidents that includes:IR-4(a)[1]preparation;IR-4(a)[2]detection and analysis;IR-4(a)[3]containment;IR-4(a)[4]eradication;IR-4(a)[5]recovery;IR-4(b)coordinates incident handling activities with contingency planning activities;IR-4(c)IR-4(c)[1]incorporates lessons learned from ongoing incident handling activities into:IR-4(c)[1][a]incident response procedures;IR-4(c)[1][b]training;IR-4(c)[1][c]testing/exercises;IR-4(c)[2]implements the resulting changes accordingly to:IR-4(c)[2][a]incident response procedures;IR-4(c)[2][b]training; andIR-4(c)[2][c]testing/exercises.IR-4(1)AUTOMATED INCIDENT HANDLING PROCESSESDetermine if the organization employs automated mechanisms to support the incident handling process. IR-4(2)DYNAMIC RECONFIGURATIONDetermine if the organization:IR-4(2)[1]defines information system components to be dynamically reconfigured as part of the incident response capability; andIR-4(2)[2]includes dynamic reconfiguration of organization-defined information system components as part of the incident response capability.IR-4(3)CONTINUITY OF OPERATIONSDetermine if the organization:IR-4(3)[1]defines classes of incidents requiring an organization-defined action to be taken;IR-4(3)[2]defines actions to be taken in response to organization-defined classes of incidents; andIR-4(3)[3]identifies organization-defined classes of incidents and organization-defined actions to take in response to classes of incidents to ensure continuation of organizational missions and business functions.IR-4(4)INFORMATION CORRELATIONDetermine if the organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. IR-4(5)AUTOMATIC DISABLING OF INFORMATION SYSTEM.Determine if the organization:IR-4(5)[1]defines security violations that, if detected, initiate a configurable capability to automatically disable the information system; andIR-4(5)[2]implements a configurable capability to automatically disable the information system if any of the organization-defined security violations are detected.IR-4(6)INSIDER THREATS – SPECIFIC CAPABILITIESDetermine if the organization implements incident handling capability for insider threats.IR-4(7)INSIDER THREATS – INTRA-ORGANIZATION COORDINATIONDetermine if the organization:IR-4(7)[1]defines components or elements of the organization with whom the incident handling capability for insider threats is to be coordinated; andIR-4(7)[2]coordinates incident handling capability for insider threats across organization-defined components or elements of the organization.IR-4(8)CORRELATION WITH EXTERNAL ORGANIZATIONSDetermine if the organization: IR-4(8)[1]defines external organizations with whom organizational incident information is to be coordinated;IR-4(8)[2]defines incident information to be correlated and shared with organization-defined external organizations; andIR-4(8)[3]the organization coordinates with organization-defined external organizations to correlate and share organization-defined information to achieve a cross-organization perspective on incident awareness and more effective incident responses.IR-4(9)DYNAMIC RESPONSE CAPABILITYDetermine if the organization: IR-4(9)[1]defines dynamic response capabilities to be employed to effectively respond to security incidents; andIR-4(9)[2]employs organization-defined dynamic response capabilities to effectively respond to security incidents.IR-4(10)SUPPLY CHAIN COORDINATIONDetermine if the organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.INCIDENT RESPONSEIR-5INCIDENT MONITORINGDetermine if the organization: IR-5[1]tracks information system security incidents; andIR-5[2]documents information system security incidents.IR-5(1)AUTOMATED TRACKING / DATA COLLECTION / ANALYSISDetermine if the organization employs automated mechanisms to assist in:IR-5(1)[1]the tracking of security incidents;IR-5(1)[2]the collection of incident information; andIR-5(1)[3]the analysis of incident information.INCIDENT RESPONSEIR-6INCIDENT REPORTINGDetermine if the organization:IR-6(a)IR-6(a)[1]defines the time period within which personnel report suspected security incidents to the organizational incident response capability;IR-6(a)[2]requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period;IR-6(b)IR-6(b)[1]defines authorities to whom security incident information is to be reported; andIR-6(b)[2]reports security incident information to organization-defined authorities.IR-6(1)AUTOMATED REPORTINGDetermine if the organization employs automated mechanisms to assist in the reporting of security incidents.IR-6(2)VULNERABILITIES RELATED TO INCIDENTSDetermine if the organization:IR-6(2)[1]defines personnel or roles to whom information system vulnerabilities associated with reported security incidents are to be reported; andIR-6(2)[2]reports information system vulnerabilities associated with reported security incidents to organization-defined personnel or roles.IR-6(3)COORDINATION WITH SUPPLY CHAINDetermine if the organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident.INCIDENT RESPONSEIR-7INCIDENT RESPONSE ASSISTANCEDetermine if the organization provides an incident response support resource:IR-7[1]that is integral to the organizational incident response capability; andIR-7[2]that offers advice and assistance to users of the information system for the handling and reporting of security incidents.IR-7(1)AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORTDetermine if the organization employs automated mechanisms to increase the availability of incident response-related information and support.IR-7(2)COORDINATION WITH EXTERNAL PROVIDERSDetermine if the organization:IR-7(2)(a)establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; andIR-7(2)(b)identifies organizational incident response team members to the external providers.INCIDENT RESPONSEIR-8INCIDENT RESPONSE PLANDetermine if the organization:IR-8(a)develops an incident response plan that:IR-8(a)(1)provides the organization with a roadmap for implementing its incident response capability;IR-8(a)(2)describes the structure and organization of the incident response capability;IR-8(a)(3)provides a high-level approach for how the incident response capability fits into the overall organization;IR-8(a)(4)meets the unique requirements of the organization, which relate to:IR-8(a)(4)[1]mission;IR-8(a)(4)[2]size;IR-8(a)(4)[3]structure;IR-8(a)(4)[4]functions;IR-8(a)(5)defines reportable incidents;IR-8(a)(6)provides metrics for measuring the incident response capability within the organization;IR-8(a)(7)defines the resources and management support needed to effectively maintain and mature an incident response capability;IR-8(a)(8)IR-8(a)(8)[1]defines personnel or roles to review and approve the incident response plan;IR-8(a)(8)[2]is reviewed and approved by organization-defined personnel or roles;IR-8(b)IR-8(b)[1]IR-8(b)[1][a]defines incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed;IR-8(b)[1][b]defines organizational elements to whom copies of the incident response plan are to be distributed;IR-8(b)[2]distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements;IR-8(c)IR-8(c)[1]defines the frequency to review the incident response plan;IR-8(c)[2]reviews the incident response plan with the organization-defined frequency;IR-8(d)updates the incident response plan to address system/organizational changes or problems encountered during plan:IR-8(d)[1]implementation;IR-8(d)[2]execution; orIR-8(d)[3]testing;IR-8(e)IR-8(e)[1]IR-8(e)[1][a]defines incident response personnel (identified by name and/or by role) to whom incident response plan changes are to be communicated;IR-8(e)[1][b]defines organizational elements to whom incident response plan changes are to be communicated;IR-8(e)[2]communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements; andIR-8(f)protects the incident response plan from unauthorized disclosure and modification.INCIDENT RESPONSEIR-9INFORMATION SPILLAGE RESPONSEDetermine if the organization: IR-9(a)responds to information spills by identifying the specific information causing the information system contamination;IR-9(b)IR-9(b)[1]defines personnel to be alerted of the information spillage;IR-9(b)[2]identifies a method of communication not associated with the information spill to use to alert organization-defined personnel of the spill;IR-9(b)[3]responds to information spills by alerting organization-defined personnel of the information spill using a method of communication not associated with the spill;IR-9(c)responds to information spills by isolating the contaminated information system;IR-9(d)responds to information spills by eradicating the information from the contaminated information system;IR-9(e)responds to information spills by identifying other information systems that may have been subsequently contaminated;IR-9(f)IR-9(f)[1]defines other actions to be performed in response to information spills; andIR-9(f)[2]responds to information spills by performing other organization-defined actions.IR-9(1)RESPONSIBLE PERSONNELDetermine if the organization:IR-9(1)[1]defines personnel with responsibility for responding to information spills; andIR-9(1)[2]assigns organization-defined personnel with responsibility for responding to information spills.IR-9(2)TRAININGDetermine if the organization: IR-9(2)[1]defines the frequency to provide information spillage response training; andIR-9(2)[2]provides information spillage response training with the organization-defined frequency.IR-9(3)POST-SPILL OPERATIONSDetermine if the organization: IR-9(3)[1]defines procedures that ensure organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions; andIR-9(3)[2]implements organization-defined procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.IR-9(4)EXPOSURE TO UNAUTHORIZED PERSONNELDetermine if the organization: IR-9(4)[1]defines security safeguards to be employed for personnel exposed to information not within assigned access authorizations; andIR-9(4)[2]employs organization-defined security safeguards for personnel exposed to information not within assigned access authorizations.INCIDENT RESPONSEIR-10INTEGRATED INFORMATION SECURITY ANALYSIS TEAMDetermine if the organization establishes an integrated team of forensic/malicious code analyst, tool developers, and real-time operations personnel.MAINTENANCEMA-1SYSTEM MAINTENANCE POLICY AND PROCEDURESDetermine if the organization:MA-1(a)(1)MA-1(a)(1)[1]develops and documents a system maintenance policy that addresses:MA-1(a)(1)[1][a]purpose;MA-1(a)(1)[1][b]scope;MA-1(a)(1)[1][c]roles;MA-1(a)(1)[1][d]responsibilities;MA-1(a)(1)[1][e]management commitment;MA-1(a)(1)[1][f]coordination among organizational entities;MA-1(a)(1)[1][g]compliance;MA-1(a)(1)[2]defines personnel or roles to whom the system maintenance policy is to be disseminated;MA-1(a)(1)[3]disseminates the system maintenance policy to organization-defined personnel or roles;MA-1(a)(2)MA-1(a)(2)[1]develops and documents procedures to facilitate the implementation of the maintenance policy and associated system maintenance controls;MA-1(a)(2)[2]defines personnel or roles to whom the procedures are to be disseminated;MA-1(a)(2)[3]disseminates the procedures to organization-defined personnel or roles;MA-1(b)(1)MA-1(b)(1)[1]defines the frequency to review and update the current system maintenance policy;MA-1(b)(1)[2]reviews and updates the current system maintenance policy with the organization-defined frequency;MA-1(b)(2)MA-1(b)(2)[1]defines the frequency to review and update the current system maintenance procedures; andMA-1(b)(2)[2]reviews and updates the current system maintenance procedures with the organization-defined frequency.MAINTENANCEMA-2CONTROLLED MAINTENANCEDetermine if the organization:MA-2(a)MA-2(a)[1]schedules maintenance and repairs on information system components in accordance with:MA-2(a)[1][a]manufacturer or vendor specifications; and/orMA-2(a)[1][b]organizational requirements;MA-2(a)[2]performs maintenance and repairs on information system components in accordance with:MA-2(a)[2][a]manufacturer or vendor specifications; and/orMA-2(a)[2][b]organizational requirements;MA-2(a)[3]documents maintenance and repairs on information system components in accordance with:MA-2(a)[3][a]manufacturer or vendor specifications; and/orMA-2(a)[3][b]organizational requirements;MA-2(a)[4]reviews records of maintenance and repairs on information system components in accordance with:MA-2(a)[4][a]manufacturer or vendor specifications; and/orMA-2(a)[4][b]organizational requirements;MA-2(b)MA-2(b)[1]approves all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;MA-2(b)[2]monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;MA-2(c)MA-2(c)[1]defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;MA-2(c)[2]requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;MA-2(d)sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;MA-2(e)checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;MA-2(f)MA-2(f)[1]defines maintenance-related information to be included in organizational maintenance records; andMA-2(f)[2]includes organization-defined maintenance-related information in organizational maintenance records.MA-2(1)RECORD CONTENTMA-2[Withdrawn: Incorporated into MA-2].MA-2(2)AUTOMATED MAINTENANCE ACTIVITIESDetermine if the organization: MA-2(2)(a)employs automated mechanisms to:MA-2(2)(a)[1]schedule maintenance and repairs;MA-2(2)(a)[2]conduct maintenance and repairs;MA-2(2)(a)[3]document maintenance and repairs;MA-2(2)(b)produces up-to-date, accurate, and complete records of all maintenance and repair actions:MA-2(2)(b)[1]requested;MA-2(2)(b)[2]scheduled;MA-2(2)(b)[3]in process; andMA-2(2)(b)[4]completed.MAINTENANCEMA-3MAINTENANCE TOOLSDetermine if the organization: MA-3[1]approves information system maintenance tools;MA-3[2]controls information system maintenance tools; andMA-3[3]monitors information system maintenance tools.MA-3(1)INSPECT TOOLSDetermine if the organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. MA-3(2)INSPECT MEDIADetermine if the organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system. MA-3(3)PREVENT UNAUTHORIZED REMOVALDetermine if the organization prevents the unauthorized removal of maintenance equipment containing organizational information by: MA-3(3)(a)verifying that there is no organizational information contained on the equipment;MA-3(3)(b)sanitizing or destroying the equipment;MA-3(3)(c)retaining the equipment within the facility; orMA-3(3)(d)MA-3(3)(d)[1]defining personnel or roles that can grant an exemption from explicitly authorizing removal of the equipment from the facility; andMA-3(3)(d)[2]obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility.MA-3(4)RESTRICTED TOOL USEDetermine if the organization restricts the use of maintenance tools to authorized personnel only. MAINTENANCEMA-4NONLOCAL MAINTENANCEDetermine if the organization: MA-4(a)MA-4(a)[1]approves nonlocal maintenance and diagnostic activities;MA-4(a)[2]monitors nonlocal maintenance and diagnostic activities;MA-4(b)allows the use of nonlocal maintenance and diagnostic tools only:MA-4(b)[1]as consistent with organizational policy;MA-4(b)[2]as documented in the security plan for the information system;MA-4(c)employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;MA-4(d)maintains records for nonlocal maintenance and diagnostic activities;MA-4(e)MA-4(e)[1]terminates sessions when nonlocal maintenance or diagnostics is completed; andMA-4(e)[2]terminates network connections when nonlocal maintenance or diagnostics is completed.MA-4(1)AUDITING AND REVIEWDetermine if the organization: MA-4(1)(a)MA-4(1)(a)[1]defines audit events to audit nonlocal maintenance and diagnostic sessions;MA-4(1)(a)[2]audits organization-defined audit events for non-local maintenance and diagnostic sessions; andMA-4(1)(b)reviews records of the maintenance and diagnostic sessions.MA-4(2)DOCUMENT NONLOCAL MAINTENANCEDetermine if the organization documents in the security plan for the information system: MA-4(2)[1]the policies for the establishment and use of nonlocal maintenance and diagnostic connections; andMA-4(2)[2]the procedures for the establishment and use of nonlocal maintenance and diagnostic connections.MA-4(3)COMPARABLE SECURITY / SANITIZATIONDetermine if the organization: MA-4(3)(a)requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; orMA-4(3)(b)MA-4(3)(b)[1]removes the component to be serviced from the information system;MA-4(3)(b)[2]sanitizes the component (with regard to organizational information) prior to nonlocal maintenance or diagnostic services and/or before removal from organizational facilities; andMA-4(3)(b)[3]inspects and sanitizes the component (with regard to potentially malicious software) after service is performed on the component and before reconnecting the component to the information system.MA-4(4)AUTHENTICATION / SEPARATION OF MAINTENANCE SESSIONSDetermine if the organization protects nonlocal maintenance sessions by: MA-4(4)(a)MA-4(4)(a)[1]defining replay resistant authenticators to be employed to protect nonlocal maintenance sessions;MA-4(4)(a)[2]employing organization-defined authenticators that are replay resistant;MA-4(4)(b)separating the maintenance sessions from other network sessions with the information system by either:MA-4(4)(b)(1)physically separated communications paths; orMA-4(4)(b)(2)logically separated communications paths based upon encryption.MA-4(5)APPROVALS AND NOTIFICATIONSDetermine if the organization: MA-4(5)(a)MA-4(5)(a)[1]defines personnel or roles required to approve each nonlocal maintenance session;MA-4(5)(a)[2]requires the approval of each nonlocal maintenance session by organization-defined personnel or roles;MA-4(5)(b)MA-4(5)(b)[1]defines personnel or roles to be notified of the date and time of planned nonlocal maintenance; andMA-4(5)(b)[2]notifies organization-defined personnel roles of the date and time of planned nonlocal maintenance.MA-4(6)CRYPTOGRAPHIC PROTECTIONDetermine if the information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications. MA-4(7)REMOTE DISCONNECT VERIFICATIONDetermine if the information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions. MAINTENANCEMA-5MAINTENANCE PERSONNELDetermine if the organization: MA-5(a)MA-5(a)[1]establishes a process for maintenance personnel authorization;MA-5(a)[2]maintains a list of authorized maintenance organizations or personnel;MA-5(b)ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; andMA-5(c)designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.MA-5(1)INDIVIDUALS WITHOUT APPROPRIATE ACCESSDetermine if the organization: MA-5(1)(a)implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:MA-5(1)(a)(1)maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who:MA-5(1)(a)(1)[1]are fully cleared;MA-5(1)(a)(1)[2]have appropriate access authorizations;MA-5(1)(a)(1)[3]are technically qualified;MA-5(1)(a)(2)prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances, or formal access approvals:MA-5(1)(a)(2)[1]all volatile information storage components within the information system are sanitized; andMA-5(1)(a)(2)[2]all nonvolatile storage media are removed; orMA-5(1)(a)(2)[3]all nonvolatile storage media are physically disconnected from the system and secured; andMA-5(1)(b)develops and implements alternative security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.MA-5(2)SECURITY CLEARANCES FOR CLASSIFIED SYSTEMSDetermine if the organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess: MA-5(2)[1]security clearances for at least the highest classification level on the system;MA-5(2)[2]security clearances for all compartments of information on the system;MA-5(2)[3]formal access approvals for at least the highest classification level on the system; andMA-5(2)[4]formal access approvals for all compartments of information on the system.MA-5(3)CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMSDetermine if the organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens. MA-5(4)FOREIGN NATIONALSDetermine if the organization ensures that: MA-5(4)(a)cleared foreign nationals (i.e., foreign nationals with appropriate security clearances) are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are:MA-5(4)(a)[1]jointly owned and operated by the United States and foreign allied governments; orMA-5(4)(a)[2]owned and operated solely by foreign allied governments; andMA-5(4)(b)approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memoranda of Agreements.MA-5(5)NONSYSTEM-RELATED MAINTENANCEDetermine if the organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorizations.MAINTENANCEMA-6TIMELY MAINTENANCEDetermine if the organization: MA-6[1]defines information system components for which maintenance support and/or spare parts are to be obtained;MA-6[2]defines the time period within which maintenance support and/or spare parts are to be obtained after a failure;MA-6[3]MA-6[3][a]obtains maintenance support for organization-defined information system components within the organization-defined time period of failure; and/orMA-6[3][b]obtains spare parts for organization-defined information system components within the organization-defined time period of failure.MA-6(1)PREVENTIVE MAINTENANCEDetermine if the organization: MA-6(1)[1]defines information system components on which preventive maintenance is to be performed;MA-6(1)[2]defines time intervals within which preventive maintenance is to be performed on organization-defined information system components; andMA-6(1)[3]performs preventive maintenance on organization-defined information system components at organization-defined time intervals.MA-6(2)PREDICTIVE MAINTENANCEDetermine if the organization: MA-6(2)[1]defines information system components on which predictive maintenance is to be performed;MA-6(2)[2]defines time intervals within which predictive maintenance is to be performed on organization-defined information system components; andMA-6(2)[3]performs predictive maintenance on organization-defined information system components at organization-defined time intervals.MA-6(3)AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCEDetermine if the organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system.MEDIA PROTECTIONMP-1MEDIA PROTECTION POLICY AND PROCEDURESDetermine if the organization:MP-1(a)(1)MP-1(a)(1)[1]develops and documents a media protection policy that addresses:MP-1(a)(1)[1][a]purpose;MP-1(a)(1)[1][b]scope;MP-1(a)(1)[1][c]roles;MP-1(a)(1)[1][d]responsibilities;MP-1(a)(1)[1][e]management commitment;MP-1(a)(1)[1][f]coordination among organizational entities;MP-1(a)(1)[1][g]compliance;MP-1(a)(1)[2]defines personnel or roles to whom the media protection policy is to be disseminated;MP-1(a)(1)[3]disseminates the media protection policy to organization-defined personnel or roles;MP-1(a)(2)MP-1(a)(2)[1]develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls;MP-1(a)(2)[2]defines personnel or roles to whom the procedures are to be disseminated;MP-1(a)(2)[3]disseminates the procedures to organization-defined personnel or roles;MP-1(b)(1)MP-1(b)(1)[1]defines the frequency to review and update the current media protection policy;MP-1(b)(1)[2]reviews and updates the current media protection policy with the organization-defined frequency;MP-1(b)(2)MP-1(b)(2)[1]defines the frequency to review and update the current media protection procedures; andMP-1(b)(2)[2]reviews and updates the current media protection procedures with the organization-defined frequency.MEDIA PROTECTIONMP-2MEDIA ACCESSDetermine if the organization: MP-2[1]defines types of digital and/or non-digital media requiring restricted access;MP-2[2]defines personnel or roles authorized to access organization-defined types of digital and/or non-digital media; andMP-2[3]restricts access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles.MP-2(1)AUTOMATED RESTRICTED ACCESSMP-4(2)[Withdrawn: Incorporated into MP-4(2)].MP-2(2)CRYPTOGRAPHIC PROTECTIONSC-28(1)[Withdrawn: Incorporated into SC-28(1)].MEDIA PROTECTIONMP-3MEDIA MARKINGDetermine if the organization: MP-3(a)marks information system media indicating the:MP-3(a)[1]distribution limitations of the information;MP-3(a)[2]handling caveats of the information;MP-3(a)[3]applicable security markings (if any) of the information;MP-3(b)MP-3(b)[1]defines types of information system media to be exempted from marking as long as the media remain in designated controlled areas;MP-3(b)[2]defines controlled areas where organization-defined types of information system media exempt from marking are to be retained; andMP-3(b)[3]exempts organization-defined types of information system media from marking as long as the media remain within organization-defined controlled areas.MEDIA PROTECTIONMP-4MEDIA STORAGEDetermine if the organization: MP-4(a)MP-4(a)[1]defines types of digital and/or non-digital media to be physically controlled and securely stored within designated controlled areas;MP-4(a)[2]defines controlled areas designated to physically control and securely store organization-defined types of digital and/or non-digital media;MP-4(a)[3]physically controls organization-defined types of digital and/or non-digital media within organization-defined controlled areas;MP-4(a)[4]securely stores organization-defined types of digital and/or non-digital media within organization-defined controlled areas; andMP-4(b)protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.MP-4(1)CRYPTOGRAPHIC PROTECTIONSC-28(1)[Withdrawn: Incorporated into SC-28(1)].MP-4(2)AUTOMATED RESTRICTED ACCESSDetermine if the organization employs automated mechanisms to: MP-4(2)[1]restrict access to media storage areas;MP-4(2)[2]audit access attempts; andMP-4(2)[3]audit access granted.MEDIA PROTECTIONMP-5MEDIA TRANSPORTDetermine if the organization: MP-5(a)MP-5(a)[1]defines types of information system media to be protected and controlled during transport outside of controlled areas;MP-5(a)[2]defines security safeguards to protect and control organization-defined information system media during transport outside of controlled areas;MP-5(a)[3]protects and controls organization-defined information system media during transport outside of controlled areas using organization-defined security safeguards;MP-5(b)maintains accountability for information system media during transport outside of controlled areas;MP-5(c)documents activities associated with the transport of information system media; andMP-5(d)restricts the activities associated with transport of information system media to authorized personnel.MP-5(1)PROTECTION OUTSIDE OF CONTROLLED AREASMP-5[Withdrawn: Incorporated into MP-5].MP-5(2)DOCUMENTATION OF ACTIVITIESMP-5[Withdrawn: Incorporated into MP-5].MP-5(3)CUSTODIANSDetermine if the organization employs an identified custodian during transport of information system media outside of controlled areas. MP-5(4)CRYPTOGRAPHIC PROTECTIONDetermine if the organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. MEDIA PROTECTIONMP-6MEDIA SANITIZATIONDetermine if the organization: MP-6(a)MP-6(a)[1]defines information system media to be sanitized prior to:MP-6(a)[1][a]disposal;MP-6(a)[1][b]release out of organizational control; orMP-6(a)[1][c]release for reuse;MP-6(a)[2]defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to:MP-6(a)[2][a]disposal;MP-6(a)[2][b]release out of organizational control; orMP-6(a)[2][c]release for reuse;MP-6(a)[3]sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies; andMP-6(b)employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information.MP-6(1)REVIEW / APPROVE / TRACK / DOCUMENT / VERIFYDetermine if the organization: MP-6(1)[1]reviews media sanitization and disposal actions;MP-6(1)[2]approves media sanitization and disposal actions;MP-6(1)[3]tracks media sanitization and disposal actions;MP-6(1)[4]documents media sanitization and disposal actions; andMP-6(1)[5]verifies media sanitization and disposal actions.MP-6(2)EQUIPMENT TESTINGDetermine if the organization: MP-6(2)[1]defines the frequency for testing sanitization equipment and procedures to verify that the intended sanitization is being achieved; andMP-6(2)[2]tests sanitization equipment and procedures with the organization-defined frequency to verify that the intended sanitization is being achieved.MP-6(3)NONDESTRUCTIVE TECHNIQUESDetermine if the organization: MP-6(3)[1]defines circumstances requiring sanitization of portable storage devices; andMP-6(3)[2]applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under organization-defined circumstances requiring sanitization of portable storage devices.MP-6(4)CONTROLLED UNCLASSIFIED INFORMATIONMP-6[Withdrawn: Incorporated into MP-6].MP-6(5)CLASSIFIED INFORMATIONMP-6[Withdrawn: Incorporated into MP-6].MP-6(6)MEDIA DESTRUCTIONMP-6[Withdrawn: Incorporated into MP-6].MP-6(7)DUAL AUTHORIZATIONDetermine if the organization: MP-6(7)[1]defines information system media requiring dual authorization to be enforced for sanitization of such media; andMP-6(7)[2]enforces dual authorization for the sanitization of organization-defined information system media.MP-6(8)REMOTE PURGING / WIPING OF INFORMATIONDetermine if the organization: MP-6(8)[1]defines information systems, system components, or devices to purge/wipe either remotely or under specific organizational conditions;MP-6(8)[2]defines conditions under which information is to be purged/wiped from organization-defined information systems, system components, or devices; andMP-6(8)[3]provides the capability to purge/wipe information from organization-defined information systems, system components, or devices either:MP-6(8)[3][a]remotely; orMP-6(8)[3][b]under organization-defined conditions.MEDIA PROTECTIONMP-7MEDIA USEDetermine if the organization: MP-7[1]defines types of information system media to be:MP-7[1][a]restricted on information systems or system components; orMP-7[1][b]prohibited from use on information systems or system components;MP-7[2]defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following:MP-7[2][a]restricted; orMP-7[2][b]prohibited;MP-7[3]defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components; andMP-7[4]restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards.MP-7(1)PROHIBIT USE WITHOUT OWNERDetermine if the organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner. MP-7(2)PROHIBIT USE OF SANITIZATION-RESISTANT MEDIADetermine if the organization prohibits the use of sanitization-resistant media in organizational information systems. MEDIA PROTECTIONMP-8MEDIA DOWNGRADINGDetermine if the organization: MP-8(a)MP-8(a)[1]defines the information system media downgrading process;MP-8(a)[2]defines the strength and integrity with which media downgrading mechanisms are to be employed;MP-8(a)[3]establishes an organization-defined information system media downgrading process that includes employing downgrading mechanisms with organization-defined strength and integrity;MP-8(b)ensures that the information system media downgrading process is commensurate with the:MP-8(b)[1]security category and/or classification level of the information to be removed;MP-8(b)[2]access authorizations of the potential recipients of the downgraded information;MP-8(c)identifies/defines information system media requiring downgrading; andMP-8(d)downgrades the identified information system media using the established process.MP-8(1)DOCUMENTATION OF PROCESSDetermine if the organization documents information system media downgrading actions. MP-8(2)EQUIPMENT TESTINGDetermine if the organization: MP-8(2)[1]MP-8(2)[1][a]defines tests to be employed for downgrading equipment;MP-8(2)[1][b]defines procedures to verify correct performance;MP-8(2)[2]defines the frequency for employing tests of downgrading equipment and procedures to verify correct performance; andMP-8(2)[3]employs organization-defined tests of downgrading equipment and procedures to verify correct performance with the organization-defined frequency.MP-8(3)CONTROLLED UNCLASSIFIED INFORMATIONDetermine if the organization: MP-8(3)[1]defines Controlled Unclassified Information (CUI) contained on information system media that requires downgrading prior to public release; andMP-8(3)[2]downgrades information system media containing organization-defined CUI prior to public release in accordance with applicable federal and organizational standards and policies.MP-8(4)CLASSIFIED INFORMATIONDetermine if the organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies. PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-1PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURESDetermine if the organization:PE-1(a)(1)PE-1(a)(1)[1]develops and documents a physical and environmental protection policy that addresses:PE-1(a)(1)[1][a]purpose;PE-1(a)(1)[1][b]scope;PE-1(a)(1)[1][c]roles;PE-1(a)(1)[1][d]responsibilities;PE-1(a)(1)[1][e]management commitment;PE-1(a)(1)[1][f]coordination among organizational entities;PE-1(a)(1)[1][g]compliance;PE-1(a)(1)[2]defines personnel or roles to whom the physical and environmental protection policy is to be disseminated;PE-1(a)(1)[3]disseminates the physical and environmental protection policy to organization-defined personnel or roles;PE-1(a)(2)PE-1(a)(2)[1]develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls;PE-1(a)(2)[2]defines personnel or roles to whom the procedures are to be disseminated;PE-1(a)(2)[3]disseminates the procedures to organization-defined personnel or roles;PE-1(b)(1)PE-1(b)(1)[1]defines the frequency to review and update the current physical and environmental protection policy;PE-1(b)(1)[2]reviews and updates the current physical and environmental protection policy with the organization-defined frequency;PE-1(b)(2)PE-1(b)(2)[1]defines the frequency to review and update the current physical and environmental protection procedures; andPE-1(b)(2)[2]reviews and updates the current physical and environmental protection procedures with the organization-defined frequency.PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-2PHYSICAL ACCESS AUTHORIZATIONSDetermine if the organization: PE-2(a)PE-2(a)[1]develops a list of individuals with authorized access to the facility where the information system resides;PE-2(a)[2]approves a list of individuals with authorized access to the facility where the information system resides;PE-2(a)[3]maintains a list of individuals with authorized access to the facility where the information system resides;PE-2(b)issues authorization credentials for facility access;PE-2(c)PE-2(c)[1]defines the frequency to review the access list detailing authorized facility access by individuals;PE-2(c)[2]reviews the access list detailing authorized facility access by individuals with the organization-defined frequency; andPE-2(d)removes individuals from the facility access list when access is no longer required.PE-2(1)ACCESS BY POSITION / ROLEDetermine if the organization authorizes physical access to the facility where the information system resides based on position or role. PE-2(2)TWO FORMS OF IDENTIFICATIONDetermine if the organization: PE-2(2)[1]defines a list of acceptable forms of identification for visitor access to the facility where the information system resides; andPE-2(2)[2]requires two forms of identification from the organization-defined list of acceptable forms of identification for visitor access to the facility where the information system resides.PE-2(3)RESTRICT UNESCORTED ACCESSDetermine if the organization: PE-2(3)[1]defines credentials to be employed to restrict unescorted access to the facility where the information system resides to authorized personnel;PE-2(3)[2]restricts unescorted access to the facility where the information system resides to personnel with one or more of the following:PE-2(3)[2][a]security clearances for all information contained within the system;PE-2(3)[2][b]formal access authorizations for all information contained within the system;PE-2(3)[2][c]need for access to all information contained within the system; and/orPE-2(3)[2][d]organization-defined credentials.PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-3PHYSICAL ACCESS CONTROLDetermine if the organization: PE-3(a)PE-3(a)[1]defines entry/exit points to the facility where the information system resides;PE-3(a)[2]enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by:PE-3(a)[2](1)verifying individual access authorizations before granting access to the facility;PE-3(a)[2](2)PE-3(a)[2](2)[a]defining physical access control systems/devices to be employed to control ingress/egress to the facility where the information system resides;PE-3(a)[2](2)[b]using one or more of the following ways to control ingress/egress to the facility:PE-3(a)[2](2)[b][1]organization-defined physical access control systems/devices; and/orPE-3(a)[2](2)[b][2]guards;PE-3(b)PE-3(b)[1]defines entry/exit points for which physical access audit logs are to be maintained;PE-3(b)[2]maintains physical access audit logs for organization-defined entry/exit points;PE-3(c)PE-3(c)[1]defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible;PE-3(c)[2]provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;PE-3(d)PE-3(d)[1]defines circumstances requiring visitor:PE-3(d)[1][a]escorts;PE-3(d)[1][b]monitoring;PE-3(d)[2]in accordance with organization-defined circumstances requiring visitor escorts and monitoring:PE-3(d)[2][a]escorts visitors;PE-3(d)[2][b]monitors visitor activities;PE-3(e)PE-3(e)[1]secures keys;PE-3(e)[2]secures combinations;PE-3(e)[3]secures other physical access devices;PE-3(f)PE-3(f)[1]defines physical access devices to be inventoried;PE-3(f)[2]defines the frequency to inventory organization-defined physical access devices;PE-3(f)[3]inventories the organization-defined physical access devices with the organization-defined frequency;PE-3(g)PE-3(g)[1]defines the frequency to change combinations and keys; andPE-3(g)[2]changes combinations and keys with the organization-defined frequency and/or when:PE-3(g)[2][a]keys are lost;PE-3(g)[2][b]combinations are compromised;PE-3(g)[2][c]individuals are transferred or terminated.PE-3(1)INFORMATION SYSTEM ACCESSDetermine if the organization: PE-3(1)[1]defines physical spaces containing one or more components of the information system; andPE-3(1)[2]enforces physical access authorizations to the information system in addition to the physical access controls for the facility at organization-defined physical spaces containing one or more components of the information system.PE-3(2)FACILITY/INFORMATION SYSTEM BOUNDARIESDetermine if the organization: PE-3(2)[1]defines the frequency to perform security checks at the physical boundary of the facility or information system for:PE-3(2)[1][a]unauthorized exfiltration of information; orPE-3(2)[1][b]removal of information system components; andPE-3(2)[2]performs security checks with the organization-defined frequency at the physical boundary of the facility or information system for:PE-3(2)[2][a]unauthorized exfiltration of information; orPE-3(2)[2][b]removal of information system components.PE-3(3)CONTINUOUS GUARDS / ALARMS / MONITORINGDetermine if the organization employs one or more of the following to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week:PE-3(3)[1]guards; and/orPE-3(3)[2]alarms.PE-3(4)LOCKABLE CASINGSDetermine if the organization: PE-3(4)[1]defines information system components to be protected from unauthorized physical access using lockable physical casings; andPE-3(4)[2]uses lockable physical casings to protect organization-defined information system components from unauthorized physical access.PE-3(5)TAMPER PROTECTIONDetermine if the organization: PE-3(5)[1]defines security safeguards to be employed to detect and/or prevent physical tampering or alteration of organization-defined hardware components within the information system;PE-3(5)[2]defines hardware components within the information system for which security safeguards are to be employed to detect and/or prevent physical tampering or alteration of such components;PE-3(5)[3]employs organization-defined security safeguards to do one or more of the following:PE-3(5)[3][a]detect physical tampering or alteration of organization-defined hardware components within the information system; and/orPE-3(5)[3][b]prevent physical tampering or alteration of organization-defined hardware components within the information system.PE-3(6)FACILITY PENETRATION TESTINGDetermine if the organization: PE-3(6)[1]defines the frequency of unannounced attempts to be included in a penetration testing process to bypass or circumvent security controls associated with physical access points to the facility; andPE-3(6)[2]employs a penetration testing process with the organization-defined frequency that includes unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility.PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-4ACCESS CONTROL FOR TRANSMISSION MEDIUMDetermine if the organization: PE-4[1]defines information system distribution and transmission lines requiring physical access controls;PE-4[2]defines security safeguards to be employed to control physical access to organization-defined information system distribution and transmission lines within organizational facilities; andPE-4[3]controls physical access to organization-defined information system distribution and transmission lines within organizational facilities using organization-defined security safeguards.PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-5ACCESS CONTROL FOR OUTPUT DEVICESDetermine if the organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. PE-5(1)ACCESS TO OUTPUT BY AUTHORIZED INDIVIDUALSDetermine if the organization: PE-5(1)(a)PE-5(1)(a)[1]defines output devices whose output requires physical access controls;PE-5(1)(a)[2]controls physical access to output from organization-defined output devices; andPE-5(1)(b)ensures that only authorized individuals receive output from the device.PE-5(2)ACCESS TO OUTPUT BY INDIVIDUAL IDENTITYDetermine if: PE-5(2)(a)PE-5(2)(a)[1]the organization defines output devices whose output requires physical access controls;PE-5(2)(a)[2]the information system controls physical access to output from organization-defined output devices; andPE-5(2)(b)the information system links individual identity to receipt of the output from the device.PE-5(3)MARKING OUTPUT DEVICESDetermine if the organization: PE-5(3)[1]defines information system output devices to be marked with appropriate security marking of the information permitted to be output from such devices; andPE-5(3)[2]marks organization-defined information system output devices indicating the appropriate security marking of the information permitted to be output from the device.PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-6MONITORING PHYSICAL ACCESSDetermine if the organization: PE-6(a)monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;PE-6(b)PE-6(b)[1]defines the frequency to review physical access logs;PE-6(b)[2]defines events or potential indication of events requiring physical access logs to be reviewed;PE-6(b)[3]reviews physical access logs with the organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; andPE-6(c)coordinates results of reviews and investigations with the organizational incident response capability.PE-6(1)INTRUSION ALARMS / SURVEILLANCE EQUIPMENTDetermine if the organization monitors physical intrusion alarms and surveillance equipment. PE-6(2)AUTOMATED INTRUSION RECOGNITION / RESPONSESDetermine if the organization: PE-6(2)[1]defines classes/types of intrusions to be recognized by automated mechanisms;PE-6(2)[2]defines response actions to be initiated by automated mechanisms when organization-defined classes/types of intrusions are recognized; andPE-6(2)[3]employs automated mechanisms to recognize organization-defined classes/types of intrusions and initiate organization-defined response actions.PE-6(3)VIDEO SURVEILLANCEDetermine if the organization: PE-6(3)[1]defines operational areas where video surveillance is to be employed;PE-6(3)[2]defines a time period to retain video recordings of organization-defined operational areas;PE-6(3)[3]PE-6(3)[3][a]employs video surveillance of organization-defined operational areas; andPE-6(3)[3][b]retains video recordings for the organization-defined time period.PE-6(4)MONITORING PHYSICAL ACCESS TO INFORMATION SYSTEMSDetermine if the organization: PE-6(4)[1]defines physical spaces containing one or more components of the information system; andPE-6(4)[2]monitors physical access to the information system in addition to the physical access monitoring of the facility at organization-defined physical spaces containing one or more components of the information system.PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-7VISITOR CONTROLPE-2PE-3[Withdrawn: Incorporated into PE-2 and PE-3].PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-8VISITOR ACCESS RECORDSDetermine if the organization: PE-8(a)PE-8(a)[1]defines the time period to maintain visitor access records to the facility where the information system resides;PE-8(a)[2]maintains visitor access records to the facility where the information system resides for the organization-defined time period;PE-8(b)PE-8(b)[1]defines the frequency to review visitor access records; andPE-8(b)[2]reviews visitor access records with the organization-defined frequency.PE-8(1)AUTOMATED RECORDS MAINTENANCE / REVIEWDetermine if the organization employs automated mechanisms to facilitate the maintenance and review of visitor access records. PE-8(2)PHYSICAL ACCESS RECORDSPE-2[Withdrawn: Incorporated into PE-2].PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-9POWER EQUIPMENT AND CABLINGDetermine if the organization protects power equipment and power cabling for the information system from damage and destruction. PE-9(1)REDUNDANT CABLINGDetermine if the organization:PE-9(1)[1]defines the distance by which redundant power cabling paths are to be physically separated; andPE-9(1)[2]employs redundant power cabling paths that are physically separated by organization-defined distance.PE-9(2)AUTOMATIC VOLTAGE CONTROLSDetermine if the organization:PE-9(2)[1]defines critical information system components that require automatic voltage controls; andPE-9(2)[2]employs automatic voltage controls for organization-defined critical information system components.PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-10EMERGENCY SHUTOFFDetermine if the organization: PE-10(a)provides the capability of shutting off power to the information system or individual system components in emergency situations;PE-10(b)PE-10(b)[1]defines the location of emergency shutoff switches or devices by information system or system component;PE-10(b)[2]places emergency shutoff switches or devices in the organization-defined location by information system or system component to facilitate safe and easy access for personnel; andPE-10(c)protects emergency power shutoff capability from unauthorized activation.PE-10(1)ACCIDENTAL / UNAUTHORIZED ACTIVATIONPE-10[Withdrawn: Incorporated into PE-10].PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-11EMERGENCY POWERDetermine if the organization provides a short-term uninterruptible power supply to facilitate one or more of the following in the event of a primary power source loss: PE-11[1]an orderly shutdown of the information system; and/orPE-11[2]transition of the information system to long-term alternate power.PE-11(1)LONG-TERM ALTERNATE POWER SUPPLY – MINIMAL OPERATIONAL CAPABILITYDetermine if the organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source. PE-11(2)LONG-TERM ALTERNATE POWER SUPPLY – SELF-CONTAINEDDetermine if the organization provides a long-term alternate power supply for the information system that is: PE-11(2)(a)self-contained;PE-11(2)(b)not reliant on external power generation;PE-11(2)(c)capable of maintaining one of the following in the event of an extended loss of the primary power source:PE-11(2)(c)[1]minimally required operational capability; orPE-11(2)(c)[2]full operational capability.PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-12EMERGENCY LIGHTINGDetermine if the organization employs and maintains automatic emergency lighting for the information system that: PE-12[1]activates in the event of a power outage or disruption; andPE-12[2]covers emergency exits and evacuation routes within the facility.PE-12(1)ESSENTIAL MISSIONS / BUSINESS FUNCTIONSDetermine if the organization provides emergency lighting for all areas within the facility supporting essential missions and business functions.PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-13FIRE PROTECTIONDetermine if the organization: PE-13[1]employs fire suppression and detection devices/systems for the information system that are supported by an independent energy source; andPE-13[2]maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.PE-13(1)DETECTION DEVICES / SYSTEMSDetermine if the organization: PE-13(1)[1]defines personnel or roles to be notified in the event of a fire;PE-13(1)[2]defines emergency responders to be notified in the event of a fire;PE-13(1)[3]employs fire detection devices/systems for the information system that, in the event of a fire,:PE-13(1)[3][a]activate automatically;PE-13(1)[3][b]notify organization-defined personnel or roles; andPE-13(1)[3][c]notify organization-defined emergency responders.PE-13(2)SUPPRESSION DEVICES / SYSTEMSDetermine if the organization: PE-13(2)[1]defines personnel or roles to be provided automatic notification of any activation of fire suppression devices/systems for the information system;PE-13(2)[2]defines emergency responders to be provided automatic notification of any activation of fire suppression devices/systems for the information system;PE-13(2)[3]employs fire suppression devices/systems for the information system that provide automatic notification of any activation to:PE-13(2)[3][a]organization-defined personnel or roles; andPE-13(2)[3][b]organization-defined emergency responders.PE-13(3)AUTOMATIC FIRE SUPPRESSIONDetermine if the organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis. PE-13(4)INSPECTIONSDetermine if the organization: PE-13(4)[1]defines the frequency of inspections to be conducted on the facility by authorized and qualified inspectors;PE-13(4)[2]ensures that the facility undergoes inspections by authorized and qualified inspectors with the organization-defined frequency;PE-13(4)[3]defines a time period to resolve deficiencies identified when the facility undergoes such inspections; andPE-13(4)[4]resolves identified deficiencies within the organization-defined time period.PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-14TEMPERATURE AND HUMIDITY CONTROLSDetermine if the organization: PE-14(a)PE-14(a)[1]defines acceptable temperature levels to be maintained within the facility where the information system resides;PE-14(a)[2]defines acceptable humidity levels to be maintained within the facility where the information system resides;PE-14(a)[3]maintains temperature levels within the facility where the information system resides at the organization-defined levels;PE-14(a)[4]maintains humidity levels within the facility where the information system resides at the organization-defined levels;PE-14(b)PE-14(b)[1]defines the frequency to monitor temperature levels;PE-14(b)[2]defines the frequency to monitor humidity levels;PE-14(b)[3]monitors temperature levels with the organization-defined frequency; andPE-14(b)[4]monitors humidity levels with the organization-defined frequency.PE-14(1)AUTOMATIC CONTROLSDetermine if the organization: PE-14(1)[1]employs automatic temperature controls in the facility to prevent fluctuations potentially harmful to the information system; andPE-14(1)[2]employs automatic humidity controls in the facility to prevent fluctuations potentially harmful to the information system.PE-14(2)MONITORING WITH ALARMS / NOTIFICATIONSDetermine if the organization: PE-14(2)[1]employs temperature monitoring that provides an alarm of changes potentially harmful to personnel or equipment; and/orPE-14(2)[2]employs temperature monitoring that provides notification of changes potentially harmful to personnel or equipment;PE-14(2)[3]employs humidity monitoring that provides an alarm of changes potentially harmful to personnel or equipment; and/orPE-14(2)[4]employs humidity monitoring that provides notification of changes potentially harmful to personnel or equipment.PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-15WATER DAMAGE PROTECTIONDetermine if the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are: PE-15[1]accessible;PE-15[2]working properly; andPE-15[3]known to key personnel.PE-15(1)AUTOMATION SUPPORTDetermine if the organization: PE-15(1)[1]defines personnel or roles to be alerted when the presence of water is detected in the vicinity of the information system;PE-15(1)[2]employs automated mechanisms to detect the presence of water in the vicinity of the information system; andPE-15(1)[3]alerts organization-defined personnel or roles when the presence of water is detected in the vicinity of the information system.PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-16DELIVERY AND REMOVALDetermine if the organization: PE-16[1]defines types of information system components to be authorized, monitored, and controlled as such components are entering and exiting the facility;PE-16[2]authorizes organization-defined information system components entering the facility;PE-16[3]monitors organization-defined information system components entering the facility;PE-16[4]controls organization-defined information system components entering the facility;PE-16[5]authorizes organization-defined information system components exiting the facility;PE-16[6]monitors organization-defined information system components exiting the facility;PE-16[7]controls organization-defined information system components exiting the facility;PE-16[8]maintains records of information system components entering the facility; andPE-16[9]maintains records of information system components exiting the facility.PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-17ALTERNATE WORK SITEDetermine if the organization: PE-17(a)PE-17(a)[1]defines security controls to be employed at alternate work sites;PE-17(a)[2]employs organization-defined security controls at alternate work sites;PE-17(b)assesses, as feasible, the effectiveness of security controls at alternate work sites; andPE-17(c)provides a means for employees to communicate with information security personnel in case of security incidents or problems.PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-18LOCATION OF INFORMATION SYSTEM COMPONENTSDetermine if the organization: PE-18[1]defines physical hazards that could result in potential damage to information system components within the facility;PE-18[2]defines environmental hazards that could result in potential damage to information system components within the facility;PE-18[3]positions information system components within the facility to minimize potential damage from organization-defined physical and environmental hazards; andPE-18[4]positions information system components within the facility to minimize the opportunity for unauthorized access.PE-18(1)FACILITY SITEDetermine if the organization: PE-18(1)[1]plans the location or site of the facility where the information system resides with regard to physical hazards;PE-18(1)[2]plans the location or site of the facility where the information system resides with regard to environmental hazards;PE-18(1)[3]for existing facilities, considers the physical hazards in its risk mitigation strategy; andPE-18(1)[4]for existing facilities, considers the environmental hazards in its risk mitigation strategy.PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-19INFORMATION LEAKAGEDetermine if the organization protects the information system from information leakage due to electromagnetic signals emanations. PE-19(1)NATIONAL EMISSIONS / TEMPEST POLICIES AND PROCEDURESDetermine if the organization ensures that the following are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information: PE-19(1)[1]information system components;PE-19(1)[2]associated data communications; andPE-19(1)[3]networks.PHYSICAL AND ENVIRONMENTAL PROTECTIONPE-20ASSET MONITORING AND TRACKINGDetermine if the organization: PE-20(a)PE-20(a)[1]defines assets whose location and movement are to be tracked and monitored;PE-20(a)[2]defines asset location technologies to be employed to track and monitor the location and movement of organization-defined assets;PE-20(a)[3]defines controlled areas within which to track and monitor organization-defined assets;PE-20(a)[4]employs organization-defined asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas; andPE-20(b)ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards and guidance.PLANNINGPL-1SECURITY PLANNING POLICY AND PROCEDURESDetermine if the organization:PL-1(a)(1)PL-1(a)(1)[1]develops and documents a planning policy that addresses:PL-1(a)(1)[1][a]purpose;PL-1(a)(1)[1][b]scope;PL-1(a)(1)[1][c]roles;PL-1(a)(1)[1][d]responsibilities;PL-1(a)(1)[1][e]management commitment;PL-1(a)(1)[1][f]coordination among organizational entities;PL-1(a)(1)[1][g]compliance;PL-1(a)(1)[2]defines personnel or roles to whom the planning policy is to be disseminated;PL-1(a)(1)[3]disseminates the planning policy to organization-defined personnel or roles;PL-1(a)(2)PL-1(a)(2)[1]develops and documents procedures to facilitate the implementation of the planning policy and associated planning controls;PL-1(a)(2)[2]defines personnel or roles to whom the procedures are to be disseminated;PL-1(a)(2)[3]disseminates the procedures to organization-defined personnel or roles;PL-1(b)(1)PL-1(b)(1)[1]defines the frequency to review and update the current planning policy;PL-1(b)(1)[2]reviews and updates the current planning policy with the organization-defined frequency;PL-1(b)(2)PL-1(b)(2)[1]defines the frequency to review and update the current planning procedures; andPL-1(b)(2)[2]reviews and updates the current planning procedures with the organization-defined frequency.PLANNINGPL-2SYSTEM SECURITY PLANDetermine if the organization: PL-2(a)develops a security plan for the information system that:PL-2(a)(1)is consistent with the organization’s enterprise architecture;PL-2(a)(2)explicitly defines the authorization boundary for the system;PL-2(a)(3)describes the operational context of the information system in terms of missions and business processes;PL-2(a)(4)provides the security categorization of the information system including supporting rationale;PL-2(a)(5)describes the operational environment for the information system and relationships with or connections to other information systems;PL-2(a)(6)provides an overview of the security requirements for the system;PL-2(a)(7)identifies any relevant overlays, if applicable;PL-2(a)(8)describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions;PL-2(a)(9)is reviewed and approved by the authorizing official or designated representative prior to plan implementation;PL-2(b)PL-2(b)[1]defines personnel or roles to whom copies of the security plan are to be distributed and subsequent changes to the plan are to be communicated;PL-2(b)[2]distributes copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or roles;PL-2(c)PL-2(c)[1]defines the frequency to review the security plan for the information system;PL-2(c)[2]reviews the security plan for the information system with the organization-defined frequency;PL-2(d)updates the plan to address:PL-2(d)[1]changes to the information system/environment of operation;PL-2(d)[2]problems identified during plan implementation;PL-2(d)[3]problems identified during security control assessments;PL-2(e)protects the security plan from unauthorized:PL-2(e)[1]disclosure; andPL-2(e)[2]modification.PL-2(1)CONCEPT OF OPERATIONSPL-7[Withdrawn: Incorporated into PL-7].PL-2(2)FUNCTIONAL ARCHITECTUREPL-8[Withdrawn: Incorporated into PL-8].PL-2(3)PLAN / COORDINATE WITH OTHER ORGANIZATIONAL ENTITIESDetermine if the organization: PL-2(3)[1]defines individuals or groups with whom security-related activities affecting the information system are to be planned and coordinated before conducting such activities in order to reduce the impact on other organizational entities; andPL-2(3)[2]plans and coordinates security-related activities affecting the information system with organization-defined individuals or groups before conducting such activities in order to reduce the impact on other organizational entities.PLANNINGPL-3SYSTEM SECURITY PLAN UPDATEPL-2[Withdrawn: Incorporated into PL-2].PLANNINGPL-4RULES OF BEHAVIORDetermine if the organization: PL-4(a)PL-4(a)[1]establishes, for individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;PL-4(a)[2]makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;PL-4(b)receives a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;PL-4(c)PL-4(c)[1]defines the frequency to review and update the rules of behavior;PL-4(c)[2]reviews and updates the rules of behavior with the organization-defined frequency; andPL-4(d)requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.PL-4(1)SOCIAL MEDIA AND NETWORKING RESTRICTIONSDetermine if the organization includes the following in the rules of behavior: PL-4(1)[1]explicit restrictions on the use of social media/networking sites; andPL-4(1)[2]posting organizational information on public websites.PLANNINGPL-5PRIVACY IMPACT ASSESSMENTAppendix JAR-2[Withdrawn: Incorporated into Appendix J, AR-2].PLANNINGPL-6SECURITY-RELATED ACTIVITY PLANNINGPL-2[Withdrawn: Incorporated into PL-2].PLANNINGPL-7SECURITY CONCEPT OF OPERATIONSDetermine if the organization: PL-7(a)develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security;PL-7(b)PL-7(b)[1]defines the frequency to review and update the security CONOPS; andPL-7(b)[2]reviews and updates the security CONOPS with the organization-defined frequency.PLANNINGPL-8INFORMATION SECURITY ARCHITECTUREDetermine if the organization: PL-8(a)develops an information security architecture for the information system that describes:PL-8(a)(1)the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;PL-8(a)(2)how the information security architecture is integrated into and supports the enterprise architecture;PL-8(a)(3)any information security assumptions about, and dependencies on, external services;PL-8(b)PL-8(b)[1]defines the frequency to review and update the information security architecture;PL-8(b)[2]reviews and updates the information security architecture with the organization-defined frequency to reflect updates in the enterprise architecture;PL-8(c)ensures that planned information security architecture changes are reflected in:PL-8(c)[1]the security plan;PL-8(c)[2]the security Concept of Operations (CONOPS); andPL-8(c)[3]the organizational procurements/acquisitions.PL-8(1)DEFENSE-IN-DEPTHDetermine if the organization: PL-8(1)(a)PL-8(1)(a)[1]defines security safeguards to be allocated to locations and architectural layers within the design of its security architecture;PL-8(1)(a)[2]defines locations and architectural layers of its security architecture in which organization-defined security safeguards are to be allocated;PL-8(1)(a)[3]designs its security architecture using a defense-in-depth approach that allocates organization-defined security safeguards to organization-defined locations and architectural layers; andPL-8(1)(b)designs its security architecture using a defense-in-depth approach that ensures the allocated organization-defined security safeguards operate in a coordinated and mutually reinforcing manner.PL-8(2)SUPPLIER DIVERSITYDetermine if the organization: PL-8(2)[1]defines security safeguards to be allocated to locations and architectural layers within the design of its security architecture;PL-8(2)[2]defines locations and architectural layers of its security architecture in which organization-defined security safeguards are to be allocated; andPL-8(2)[3]requires that organization-defined security safeguards allocated to organization-defined locations and architectural layers are obtained from different suppliers.PLANNINGPL-9CENTRAL MANAGEMENTDetermine if the organization: PL-9[1]defines security controls and related processes to be centrally managed; andPL-9[2]centrally manages organization-defined security controls and related processes.PROGRAM MANAGEMENTPM-1INFORMATION SECURITY PROGRAM PLANDetermine if the organization: PM-1(a)develops and disseminates an organization-wide information security program plan that:PM-1(a)(1)PM-1(a)(1)[1]provides an overview of the requirements for the security program;PM-1(a)(1)[2]provides a description of the:PM-1(a)(1)[2][a]security program management controls in place or planned for meeting those requirements;PM-1(a)(1)[2][b]common controls in place or planned for meeting those requirements;PM-1(a)(2)includes the identification and assignment of:PM-1(a)(2)[1]roles;PM-1(a)(2)[2]responsibilities;PM-1(a)(2)[3]management commitment;PM-1(a)(2)[4]coordination among organizational entities;PM-1(a)(2)[5]compliance;PM-1(a)(3)reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical);PM-1(a)(4)is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations, organizational assets, individuals, other organizations, and the Nation;PM-1(b)PM-1(b)[1]defines the frequency to review the security program plan for the information system;PM-1(b)[2]reviews the organization-wide information security program plan with the organization-defined frequency;PM-1(c)updates the plan to address organizational:PM-1(c)[1]changes identified during plan implementation;PM-1(c)[2]changes identified during security control assessments;PM-1(c)[3]problems identified during plan implementation;PM-1(c)[4]problems identified during security control assessments;PM-1(d)protects the information security program plan from unauthorized:PM-1(d)[1]disclosure; andPM-1(d)[2]modification.PROGRAM MANAGEMENTPM-2SENIOR INFORMATION SECURITY OFFICERDetermine if the organization appoints a senior information security officer with the mission and resources to: PM-2[1]coordinate an organization-wide information security program;PM-2[2]develop an organization-wide information security program;PM-2[3]implement an organization-wide information security program; andPM-2[4]maintain an organization-wide information security program.PROGRAM MANAGEMENTPM-3INFORMATION SECURITY RESOURCESDetermine if the organization: PM-3(a)PM-3(a)[1]ensures that all capital planning and investment requests include the resources needed to implement the information security program plan;PM-3(a)[2]documents all exceptions to the requirement;PM-3(b)employs a business case/Exhibit 300/Exhibit 53 to record the resources required; andPM-3(c)ensures that information security resources are available for expenditure as planned.PROGRAM MANAGEMENTPM-4PLAN OF ACTION AND MILESTONES PROCESSDetermine if the organization: PM-4(a)implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:PM-4(a)(1)PM-4(a)(1)[1]are developed;PM-4(a)(1)[2]are maintained;PM-4(a)(2)document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation;PM-4(a)(3)are reported in accordance with OMB FISMA reporting requirements;PM-4(b)reviews plans of action and milestones for consistency with:PM-4(b)[1]the organizational risk management strategy; andPM-4(b)[2]organization-wide priorities for risk response actions.PROGRAM MANAGEMENTPM-5INFORMATION SYSTEM INVENTORYDetermine if the organization: PM-5[1]develops an inventory of its information systems; andPM-5[2]maintains the inventory of its information systems.PROGRAM MANAGEMENTPM-6INFORMATION SECURITY MEASURES OF PERFORMANCEDetermine if the organization: PM-6[1]develops information security measures of performance;PM-6[2]monitors information security measures of performance; andPM-6[3]reports information security measures of performance.PROGRAM MANAGEMENTPM-7ENTERPRISE ARCHITECTUREDetermine if the organization develops an enterprise architecture with consideration for: PM-7[1]information security; andPM-7[2]the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.PROGRAM MANAGEMENTPM-8CRITICAL INFRASTRUCTURE PLANDetermine if the organization addresses information security issues in the: PM-8[1]development of a critical infrastructure and key resources protection plan;PM-8[2]documentation of a critical infrastructure and key resources protection plan; andPM-8[3]updating of the critical infrastructure and key resources protection plan.PROGRAM MANAGEMENTPM-9RISK MANAGEMENT STRATEGYDetermine if the organization: PM-9(a)develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;PM-9(b)implements the risk management strategy consistently across the organization;PM-9(c)PM-9(c)[1]defines the frequency to review and update the risk management strategy;PM-9(c)[2]reviews and updates the risk management strategy to address organizational changes:PM-9(c)[2][a]with the organization-defined frequency; orPM-9(c)[2][b]as required.PROGRAM MANAGEMENTPM-10SECURITY AUTHORIZATION PROCESSDetermine if the organization: PM-10(a)manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;PM-10(b)designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; andPM-10(c)fully integrates the security authorization processes into an organization-wide risk management program.PROGRAM MANAGEMENTPM-11MISSION/BUSINESS PROCESS DEFINITIONDetermine if the organization: PM-11(a)defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation;PM-11(b)PM-11(b)[1]determines information protection needs arising from the defined mission/business process; andPM-11(b)[2]revises the processes as necessary until achievable protection needs are obtained.PROGRAM MANAGEMENTPM-12INSIDER THREAT PROGRAMDetermine if the organization implements an insider threat program that includes a cross-discipline insider threat incident handling team. PROGRAM MANAGEMENTPM-13INFORMATION SECURITY WORKFORCEDetermine if the organization establishes an information security workforce development and improvement program. PROGRAM MANAGEMENTPM-14TESTING, TRAINING, AND MONITORINGDetermine if the organization: PM-14(a)implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:PM-14(a)(1)PM-14(a)(1)[1]are developed;PM-14(a)(1)[2]are maintained;PM-14(a)(2)continue to be executed in a timely manner;PM-14(b)reviews testing, training, and monitoring plans for consistency with:PM-14(b)[1]the organizational risk management strategy; andPM-14(b)[2]organization-wide priorities for risk response actions.PROGRAM MANAGEMENTPM-15CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONSDetermine if the organization establishes and institutionalizes contact with selected groups and associations with the security community to: PM-15(a)facilitate ongoing security education and training for organizational personnel;PM-15(b)maintain currency with recommended security practices, techniques, and technologies; andPM-15(c)share current security-related information including threats, vulnerabilities, and incidents.PROGRAM MANAGEMENTPM-16THREAT AWARENESS PROGRAMDetermine if the organization implements a threat awareness program that includes a cross-organization information-sharing capability. PERSONNEL SECURITYPS-1PERSONNEL SECURITY POLICY AND PROCEDURESDetermine if the organization:PS-1(a)(1)PS-1(a)(1)[1]develops and documents an personnel security policy that addresses:PS-1(a)(1)[1][a]purpose;PS-1(a)(1)[1][b]scope;PS-1(a)(1)[1][c]roles;PS-1(a)(1)[1][d]responsibilities;PS-1(a)(1)[1][e]management commitment;PS-1(a)(1)[1][f]coordination among organizational entities;PS-1(a)(1)[1][g]compliance;PS-1(a)(1)[2]defines personnel or roles to whom the personnel security policy is to be disseminated;PS-1(a)(1)[3]disseminates the personnel security policy to organization-defined personnel or roles;PS-1(a)(2)PS-1(a)(2)[1]develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls;PS-1(a)(2)[2]defines personnel or roles to whom the procedures are to be disseminated;PS-1(a)(2)[3]disseminates the procedures to organization-defined personnel or roles;PS-1(b)(1)PS-1(b)(1)[1]defines the frequency to review and update the current personnel security policy;PS-1(b)(1)[2]reviews and updates the current personnel security policy with the organization-defined frequency;PS-1(b)(2)PS-1(b)(2)[1]defines the frequency to review and update the current personnel security procedures; andPS-1(b)(2)[2]reviews and updates the current personnel security procedures with the organization-defined frequency.PERSONNEL SECURITYPS-2POSITION RISK DESIGNATIONDetermine if the organization:PS-2(a)assigns a risk designation to all organizational positions;PS-2(b)establishes screening criteria for individuals filling those positions;PS-2(c)PS-2(c)[1]defines the frequency to review and update position risk designations; andPS-2(c)[2]reviews and updates position risk designations with the organization-defined frequency.PERSONNEL SECURITYPS-3PERSONNEL SCREENINGDetermine if the organization:PS-3(a)screens individuals prior to authorizing access to the information system;PS-3(b)PS-3(b)[1]defines conditions requiring re-screening;PS-3(b)[2]defines the frequency of re-screening where it is so indicated; andPS-3(b)[3]re-screens individuals in accordance with organization-defined conditions requiring re-screening and, where re-screening is so indicated, with the organization-defined frequency of such re-screening.PS-3(1)CLASSIFIED INFORMATIONDetermine if the organization:PS-3(1)[1]ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared to the highest classification level of the information to which they have access on the system; andPS-3(1)[2]ensures that individuals accessing an information system processing, storing, or transmitting classified information are indoctrinated to the highest classification level of the information to which they have access on the system.PS-3(2)FORMAL INDOCTRINATIONDetermine if the organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system.PS-3(3)INFORMATION WITH SPECIAL PROTECTION MEASURESDetermine if the organization: PS-3(3)(a)ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties;PS-3(3)(b)PS-3(3)(b)[1]defines additional personnel screening criteria to be satisfied for individuals accessing an information system processing, storing, or transmitting information requiring special protection; andPS-3(3)(b)[2]ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection satisfy organization-defined additional personnel screening criteria.PERSONNEL SECURITYPS-4PERSONNEL TERMINATIONDetermine if the organization, upon termination of individual employment,:PS-4(a)PS-4(a)[1]defines a time period within which to disable information system access;PS-4(a)[2]disables information system access within the organization-defined time period;PS-4(b)terminates/revokes any authenticators/credentials associated with the individual;PS-4(c)PS-4(c)[1]defines information security topics to be discussed when conducting exit interviews;PS-4(c)[2]conducts exit interviews that include a discussion of organization-defined information security topics;PS-4(d)retrieves all security-related organizational information system-related property;PS-4(e)retains access to organizational information and information systems formerly controlled by the terminated individual;PS-4(f)PS-4(f)[1]defines personnel or roles to be notified of the termination;PS-4(f)[2]defines the time period within which to notify organization-defined personnel or roles; andPS-4(f)[3]notifies organization-defined personnel or roles within the organization-defined time period.PS-4(1)POST-EMPLOYMENT REQUIREMENTSDetermine if the organization: PS-4(1)(a)notifies terminated individuals of applicable, legally binding, post-employment requirements for the protection of organizational information; andPS-4(1)(b)requires terminated individuals to sign an acknowledgement of post-employment requirements as part of the organizational termination process.PS-4(2)AUTOMATED NOTIFICATIONDetermine if the organization: PS-4(2)[1]defines personnel or roles to be notified upon termination of an individual; andPS-4(2)[2]employs automated mechanisms to notify organization-defined personnel or roles upon termination of an individual.PERSONNEL SECURITYPS-5PERSONNEL TRANSFERDetermine if the organization:PS-5(a)when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current:PS-5(a)[1]logical access authorizations to information systems;PS-5(a)[2]physical access authorizations to information systems and facilities;PS-5(b)PS-5(b)[1]defines transfer or reassignment actions to be initiated following transfer or reassignment;PS-5(b)[2]defines the time period within which transfer or reassignment actions must occur following transfer or reassignment;PS-5(b)[3]initiates organization-defined transfer or reassignment actions within the organization-defined time period following transfer or reassignment;PS-5(c)modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer;PS-5(d)PS-5(d)[1]defines personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization;PS-5(d)[2]defines the time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization; andPS-5(d)[3]notifies organization-defined personnel or roles within the organization-defined time period when individuals are reassigned or transferred to other positions within the organization.PERSONNEL SECURITYPS-6ACCESS AGREEMENTSDetermine if the organization:PS-6(a)develops and documents access agreements for organizational information systems;PS-6(b)PS-6(b)[1]defines the frequency to review and update the access agreements;PS-6(b)[2]reviews and updates the access agreements with the organization-defined frequency;PS-6(c)PS-6(c)(1)ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access;PS-6(c)(2)PS-6(c)(2)[1]defines the frequency to re-sign access agreements to maintain access to organizational information systems when access agreements have been updated;PS-6(c)(2)[2]ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or with the organization-defined frequency.PS-6(1)INFORMATION REQUIRING SPECIAL PROTECTIONPS-3[Withdrawn: Incorporated into PS-3].PS-6(2)CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTIONDetermine if the organization ensures that access to classified information requiring special protection is granted only to individuals who:PS-6(2)(a)have a valid access authorization that is demonstrated by assigned official government duties;PS-6(2)(b)satisfy associated personnel security criteria; andPS-6(2)(c)have read, understood, and signed a nondisclosure agreement.PS-6(3)POST-EMPLOYMENT REQUIREMENTSDetermine if the organization:PS-6(3)(a)notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; andPS-6(3)(b)requires individuals to sign an acknowledgement of these requirements, if applicable, as part of granting initial access to covered information.PERSONNEL SECURITYPS-7THIRD-PARTY PERSONNEL SECURITYDetermine if the organization:PS-7(a)establishes personnel security requirements, including security roles and responsibilities, for third-party providers;PS-7(b)requires third-party providers to comply with personnel security policies and procedures established by the organization;PS-7(c)documents personnel security requirements;PS-7(d)PS-7(d)[1]defines personnel or roles to be notified of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;PS-7(d)[2]defines the time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;PS-7(d)[3]requires third-party providers to notify organization-defined personnel or roles within the organization-defined time period of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges; andPS-7(e)monitors provider compliance.PERSONNEL SECURITYPS-8PERSONNEL SANCTIONSDetermine if the organization:PS-8(a)employs a formal sanctions process for individuals failing to comply with established information security policies and procedures;PS-8(b)PS-8(b)[1]defines personnel or roles to be notified when a formal employee sanctions process is initiated;PS-8(b)[2]defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated; andPS-8(b)[3]notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.RISK ASSESSMENTRA-1RISK ASSESSMENT POLICY AND PROCEDURESDetermine if the organization:RA-1(a)(1)RA-1(a)(1)[1]develops and documents a risk assessment policy that addresses:RA-1(a)(1)[1][a]purpose;RA-1(a)(1)[1][b]scope;RA-1(a)(1)[1][c]roles;RA-1(a)(1)[1][d]responsibilities;RA-1(a)(1)[1][e]management commitment;RA-1(a)(1)[1][f]coordination among organizational entities;RA-1(a)(1)[1][g]compliance;RA-1(a)(1)[2]defines personnel or roles to whom the risk assessment policy is to be disseminated;RA-1(a)(1)[3]disseminates the risk assessment policy to organization-defined personnel or roles;RA-1(a)(2)RA-1(a)(2)[1]develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls;RA-1(a)(2)[2]defines personnel or roles to whom the procedures are to be disseminated;RA-1(a)(2)[3]disseminates the procedures to organization-defined personnel or roles;RA-1(b)(1)RA-1(b)(1)[1]defines the frequency to review and update the current risk assessment policy;RA-1(b)(1)[2]reviews and updates the current risk assessment policy with the organization-defined frequency;RA-1(b)(2)RA-1(b)(2)[1]defines the frequency to review and update the current risk assessment procedures; andRA-1(b)(2)[2]reviews and updates the current risk assessment procedures with the organization-defined frequency.RISK ASSESSMENTRA-2SECURITY CATEGORIZATIONDetermine if the organization:RA-2(a)categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;RA-2(b)documents the security categorization results (including supporting rationale) in the security plan for the information system; andRA-2(c)ensures the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.RISK ASSESSMENTRA-3RISK ASSESSMENTDetermine if the organization:RA-3(a)conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of:RA-3(a)[1]the information system;RA-3(a)[2]the information the system processes, stores, or transmits;RA-3(b)RA-3(b)[1]defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report);RA-3(b)[2]documents risk assessment results in one of the following:RA-3(b)[2][a]the security plan;RA-3(b)[2][b]the risk assessment report; orRA-3(b)[2][c]the organization-defined document;RA-3(c)RA-3(c)[1]defines the frequency to review risk assessment results;RA-3(c)[2]reviews risk assessment results with the organization-defined frequency;RA-3(d)RA-3(d)[1]defines personnel or roles to whom risk assessment results are to be disseminated;RA-3(d)[2]disseminates risk assessment results to organization-defined personnel or roles;RA-3(e)RA-3(e)[1]defines the frequency to update the risk assessment;RA-3(e)[2]updates the risk assessment:RA-3(e)[2][a]with the organization-defined frequency;RA-3(e)[2][b]whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); andRA-3(e)[2][c]whenever there are other conditions that may impact the security state of the system.RISK ASSESSMENTRA-4RISK ASSESSMENT UPDATERA-3[Withdrawn: Incorporated into RA-3].RISK ASSESSMENTRA-5VULNERABILITY SCANNINGDetermine if the organization:RA-5(a)RA-5(a)[1]RA-5(a)[1][a]defines the frequency for conducting vulnerability scans on the information system and hosted applications; and/orRA-5(a)[1][b]defines the process for conducting random vulnerability scans on the information system and hosted applications;RA-5(a)[2]in accordance with the organization-defined frequency and/or organization-defined process for conducting random scans, scans for vulnerabilities in:RA-5(a)[2][a]the information system;RA-5(a)[2][b]hosted applications;RA-5(a)[3]when new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in:RA-5(a)[3][a]the information system;RA-5(a)[3][b]hosted applications;RA-5(b)employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:RA-5(b)(1)RA-5(b)(1)[1]enumerating platforms;RA-5(b)(1)[2]enumerating software flaws;RA-5(b)(1)[3]enumerating improper configurations;RA-5(b)(2)RA-5(b)(2)[1]formatting checklists;RA-5(b)(2)[2]formatting test procedures;RA-5(b)(3)measuring vulnerability impact;RA-5(c)RA-5(c)[1]analyzes vulnerability scan reports;RA-5(c)[2]analyzes results from security control assessments;RA-5(d)RA-5(d)[1]defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;RA-5(d)[2]remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk;RA-5(e)RA-5(e)[1]defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared;RA-5(e)[2]shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies); andRA-5(e)[3]shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).RA-5(1)UPDATE TOOL CAPABILITYDetermine if the organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.RA-5(2)UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIEDDetermine if the organization:RA-5(2)[1]defines the frequency to update the information system vulnerabilities scanned;RA-5(2)[2]updates the information system vulnerabilities scanned one or more of the following:RA-5(2)[2][a]with the organization-defined frequency;RA-5(2)[2][b]prior to a new scan; and/orRA-5(2)[2][c]when new vulnerabilities are identified and reported.RA-5(3)BREADTH / DEPTH OF COVERAGEDetermine if the organization employs vulnerability scanning procedures that can identify:RA-5(3)[1]the breadth of coverage (i.e., information system components scanned); andRA-5(3)[2]the depth of coverage (i.e., vulnerabilities checked).RA-5(4)DISCOVERABLE INFORMATIONDetermine if the organization:RA-5(4)[1]defines corrective actions to be taken if information about the information system is discoverable by adversaries;RA-5(4)[2]determines what information about the information system is discoverable by adversaries; andRA-5(4)[3]subsequently takes organization-defined corrective actions.RA-5(5)PRIVILEGED ACCESSDetermine if:RA-5(5)[1]the organization defines information system components to which privileged access is authorized for selected vulnerability scanning activities;RA-5(5)[2]the organization defines vulnerability scanning activities selected for privileged access authorization to organization-defined information system components; andRA-5(5)[3]the information system implements privileged access authorization to organization-defined information system components for selected organization-defined vulnerability scanning activities.RA-5(6)AUTOMATED TREND ANALYSESDetermine if the organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.RA-5(7)AUTOMATED DETECTION AND NOTIFICATION OF UNAUTHORIZED COMPONENTSCM-8[Withdrawn: Incorporated into CM-8].RA-5(8)REVIEW HISTORIC AUDIT LOGSDetermine if the organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. RA-5(9)PENETRATION TESTING AND ANALYSESCA-8[Withdrawn: Incorporated into CA-8].RA-5(10)CORRELATE SCANNING INFORMATIONDetermine if the organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors. RISK ASSESSMENTRA-6TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEYDetermine if the organization:RA-6[1]defines locations to employ technical surveillance countermeasure surveys;RA-6[2]defines a frequency to employ technical surveillance countermeasure surveys;RA-6[3]defines events or indicators which, if they occur, trigger a technical surveillance countermeasures survey;RA-6[4]employs a technical surveillance countermeasures survey at organization-defined locations one or more of the following:RA-6[4][a]with the organization-defined frequency; and/orRA-6[4][b]when organization-defined events or indicators occur.SYSTEM AND SERVICES ACQUISITIONSA-1SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURESDetermine if the organization:SA-1(a)(1)SA-1(a)(1)[1]develops and documents a system and services acquisition policy that addresses:SA-1(a)(1)[1][a]purpose;SA-1(a)(1)[1][b]scope;SA-1(a)(1)[1][c]roles;SA-1(a)(1)[1][d]responsibilities;SA-1(a)(1)[1][e]management commitment;SA-1(a)(1)[1][f]coordination among organizational entities;SA-1(a)(1)[1][g]compliance;SA-1(a)(1)[2]defines personnel or roles to whom the system and services acquisition policy is to be disseminated;SA-1(a)(1)[3]disseminates the system and services acquisition policy to organization-defined personnel or roles;SA-1(a)(2)SA-1(a)(2)[1]develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls;SA-1(a)(2)[2]defines personnel or roles to whom the procedures are to be disseminated;SA-1(a)(2)[3]disseminates the procedures to organization-defined personnel or roles;SA-1(b)(1)SA-1(b)(1)[1]defines the frequency to review and update the current system and services acquisition policy;SA-1(b)(1)[2]reviews and updates the current system and services acquisition policy with the organization-defined frequency;SA-1(b)(2)SA-1(b)(2)[1]defines the frequency to review and update the current system and services acquisition procedures; andSA-1(b)(2)[2]reviews and updates the current system and services acquisition procedures with the organization-defined frequency.SYSTEM AND SERVICES ACQUISITIONSA-2ALLOCATION OF RESOURCESDetermine if the organization:SA-2(a)determines information security requirements for the information system or information system service in mission/business process planning;SA-2(b)to protect the information system or information system service as part of its capital planning and investment control process:SA-2(b)[1]determines the resources required;SA-2(b)[2]documents the resources required;SA-2(b)[3]allocates the resources required; andSA-2(c)establishes a discrete line item for information security in organizational programming and budgeting documentation.SYSTEM AND SERVICES ACQUISITIONSA-3SYSTEM DEVELOPMENT LIFE CYCLEDetermine if the organization:SA-3(a)SA-3(a)[1]defines a system development life cycle that incorporates information security considerations to be used to manage the information system;SA-3(a)[2]manages the information system using the organization-defined system development life cycle;SA-3(b)defines and documents information security roles and responsibilities throughout the system development life cycle;SA-3(c)identifies individuals having information security roles and responsibilities; andSA-3(d)integrates the organizational information security risk management process into system development life cycle activities.SYSTEM AND SERVICES ACQUISITIONSA-4ACQUISITION PROCESSDetermine if the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:SA-4(a)security functional requirements;SA-4(b)security strength requirements;SA-4(c)security assurance requirements;SA-4(d)security-related documentation requirements;SA-4(e)requirements for protecting security-related documentation;SA-4(f)description of:SA-4(f)[1]the information system development environment;SA-4(f)[2]the environment in which the system is intended to operate; andSA-4(g)acceptance criteria.SA-4(1)FUNCTIONAL PROPERTIES OF SECURITY CONTROLSDetermine if the organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.SA-4(2)DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLSDetermine if the organization:SA-4(2)[1]defines level of detail that the developer is required to provide in design and implementation information for the security controls to be employed in the information system, system component, or information system service;SA-4(2)[2]defines design/implementation information that the developer is to provide for the security controls to be employed (if selected);SA-4(2)[3]requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes, at the organization-defined level of detail, one or more of the following:SA-4(2)[3][a]security-relevant external system interfaces;SA-4(2)[3][b]high-level design;SA-4(2)[3][c]low-level design;SA-4(2)[3][d]source code;SA-4(2)[3][e]hardware schematics; and/orSA-4(2)[3][f]organization-defined design/implementation information.SA-4(3)DEVELOPMENT METHODS / TECHNIQUES / PRACTICESDetermine if the organization:SA-4(3)[1]defines state-of-the-practice system/security engineering methods to be included in the system development life cycle employed by the developer of the information system, system component, or information system service;SA-4(3)[2]defines software development methods to be included in the system development life cycle employed by the developer of the information system, system component, or information system service;SA-4(3)[3]defines testing/evaluation/validation techniques to be included in the system development life cycle employed by the developer of the information system, system component, or information system service;SA-4(3)[4]defines quality control processes to be included in the system development life cycle employed by the developer of the information system, system component, or information system service;SA-4(3)[5]requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes:SA-4(3)[5][a]organization-defined state-of-the-practice system/security engineering methods;SA-4(3)[5][b]organization-defined software development methods;SA-4(3)[5][c]organization-defined testing/evaluation/validation techniques; andSA-4(3)[5][d]organization-defined quality control processes.SA-4(4)ASSIGNMENT OF COMPONENTS TO SYSTEMSCM-8(9)[Withdrawn: Incorporated into CM-8(9)].SA-4(5)SYSTEM / COMPONENT / SERVICE CONFIGURATIONSDetermine if the organization:SA-4(5)(a)SA-4(5)(a)[1]defines security configurations to be implemented by the developer of the information system, system component, or information system service;SA-4(5)(a)[2]requires the developer of the information system, system component, or information system service to deliver the system, component, or service with organization-defined security configurations implemented; andSA-4(5)(b)requires the developer of the information system, system component, or information system service to use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.SA-4(6)USE OF INFORMATION ASSURANCE PRODUCTSDetermine if the organization:SA-4(6)(a)employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; andSA-4(6)(b)ensures that these products have been evaluated and/or validated by the NSA or in accordance with NSA-approved procedures.SA-4(7)NIAP-APPROVED PROTECTION PROFILESDetermine if the organization:SA-4(7)(a)limits the use of commercially-provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; andSA-4(7)(b)requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated.SA-4(8)CONTINUOUS MONITORING PLANDetermine if the organization:SA-4(8)[1]defines the level of detail the developer of the information system, system component, or information system service is required to provide when producing a plan for the continuous monitoring of security control effectiveness; andSA-4(8)[2]requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains the organization-defined level of detail.SA-4(9)FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USEDetermine if the organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle:SA-4(9)[1]the functions intended for organizational use;SA-4(9)[2]the ports intended for organizational use;SA-4(9)[3]the protocols intended for organizational use; andSA-4(9)[4]the services intended for organizational use.SA-4(10)USE OF APPROVED PIV PRODUCTSDetermine if the organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. SYSTEM AND SERVICES ACQUISITIONSA-5INFORMATION SYSTEM DOCUMENTATIONDetermine if the organization:SA-5(a)obtains administrator documentation for the information system, system component, or information system service that describes:SA-5(a)(1)SA-5(a)(1)[1]secure configuration of the system, system component, or service;SA-5(a)(1)[2]secure installation of the system, system component, or service;SA-5(a)(1)[3]secure operation of the system, system component, or service;SA-5(a)(2)SA-5(a)(2)[1]effective use of the security features/mechanisms;SA-5(a)(2)[2]effective maintenance of the security features/mechanisms;SA-5(a)(3)known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;SA-5(b)obtains user documentation for the information system, system component, or information system service that describes:SA-5(b)(1)SA-5(b)(1)[1]user-accessible security functions/mechanisms;SA-5(b)(1)[2]how to effectively use those functions/mechanisms;SA-5(b)(2)methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner;SA-5(b)(3)user responsibilities in maintaining the security of the system, component, or service;SA-5(c)SA-5(c)[1]defines actions to be taken after documented attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;SA-5(c)[2]documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;SA-5(c)[3]takes organization-defined actions in response;SA-5(d)protects documentation as required, in accordance with the risk management strategy;SA-5(e)SA-5(e)[1]defines personnel or roles to whom documentation is to be distributed; andSA-5(e)[2]distributes documentation to organization-defined personnel or roles.SA-5(1)FUNCTIONAL PROPERTIES OF SECURITY CONTROLSSA-4(1)[Withdrawn: Incorporated into SA-4(1)].SA-5(2)SECURITY-RELEVANT EXTERNAL SYSTEM INTERFACESSA-4(2)[Withdrawn: Incorporated into SA-4(2)].SA-5(3)HIGH-LEVEL DESIGNSA-4(2)[Withdrawn: Incorporated into SA-4(2)].SA-5(4)LOW-LEVEL DESIGNSA-4(2)[Withdrawn: Incorporated into SA-4(2)].SA-5(5)SOURCE CODESA-4(2)[Withdrawn: Incorporated into SA-4(2)].SYSTEM AND SERVICES ACQUISITIONSA-6SOFTWARE USAGE RESTRICTIONSCM-10SI-7[Withdrawn: Incorporated into CM-10 and SI-7].SYSTEM AND SERVICES ACQUISITIONSA-7USER- INSTALLED SOFTWARECM-11SI-7[Withdrawn: Incorporated into CM-11 and SI-7].SYSTEM AND SERVICES ACQUISITIONSA-8SECURITY ENGINEERING PRINCIPLESDetermine if the organization applies information system security engineering principles in: SA-8[1]the specification of the information system;SA-8[2]the design of the information system;SA-8[3]the development of the information system;SA-8[4]the implementation of the information system; andSA-8[5]the modification of the information system.SYSTEM AND SERVICES ACQUISITIONSA-9EXTERNAL INFORMATION SYSTEM SERVICESDetermine if the organization:SA-9(a)SA-9(a)[1]defines security controls to be employed by providers of external information system services;SA-9(a)[2]requires that providers of external information system services comply with organizational information security requirements;SA-9(a)[3]requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;SA-9(b)SA-9(b)[1]defines and documents government oversight with regard to external information system services;SA-9(b)[2]defines and documents user roles and responsibilities with regard to external information system services;SA-9(c)SA-9(c)[1]defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers; andSA-9(c)[2]employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis.SA-9(1)RISK ASSESSMENTS / ORGANIZATIONAL APPROVALSDetermine if the organization:SA-9(1)(a)conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services;SA-9(1)(b)SA-9(1)(b)[1]defines personnel or roles designated to approve the acquisition or outsourcing of dedicated information security services; andSA-9(1)(b)[2]ensures that the acquisition or outsourcing of dedicated information security services is approved by organization-defined personnel or roles.SA-9(2)IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICESDetermine if the organization:SA-9(2)[1]defines external information system services for which providers of such services are to identify the functions, ports, protocols, and other services required for the use of such services;SA-9(2)[2]requires providers of organization-defined external information system services to identify:SA-9(2)[2][a]the functions required for the use of such services;SA-9(2)[2][b]the ports required for the use of such services;SA-9(2)[2][c]the protocols required for the use of such services; andSA-9(2)[2][d]the other services required for the use of such services.SA-9(3)ESTABLISH / MAINTAIN TRUST RELATIONSHIP WITH PROVIDERSDetermine if the organization:SA-9(3)[1]defines requirements, properties, factors, or conditions defining acceptable trust relationships;SA-9(3)[2]based on organization-defined requirements, properties, factors, or conditions defining acceptable trust relationships:SA-9(3)[2][a]establishes trust relationships with external service providers;SA-9(3)[2][b]documents trust relationships with external service providers; andSA-9(3)[2][c]maintains trust relationships with external service providers.SA-9(4)CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERSDetermine if the organization:SA-9(4)[1]defines external service providers whose interests are to be consistent with and reflect organizational interests;SA-9(4)[2]defines security safeguards to be employed to ensure that the interests of organization-defined external service providers are consistent with and reflect organizational interests; andSA-9(4)[3]employs organization-defined security safeguards to ensure that the interests of organization-defined external service providers are consistent with and reflect organizational interests.SA-9(5)PROCESSING, STORAGE, AND SERVICE LOCATIONDetermine if the organization:SA-9(5)[1]defines locations where organization-defined information processing, information/data, and/or information system services are to be restricted;SA-9(5)[2]defines requirements or conditions to restrict the location of information processing, information/data, and/or information system services;SA-9(5)[3]restricts the location of one or more of the following to organization-defined locations based on organization-defined requirements or conditions:SA-9(5)[3][a]information processing;SA-9(5)[3][b]information/data; and/orSA-9(5)[3][c]information services.SYSTEM AND SERVICES ACQUISITIONSA-10DEVELOPER CONFIGURATION MANAGEMENTDetermine if the organization:SA-10(a)requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following:SA-10(a)[1]system, component, or service design;SA-10(a)[2]system, component, or service development;SA-10(a)[3]system, component, or service implementation; and/orSA-10(a)[4]system, component, or service operation;SA-10(b)SA-10(b)[1]defines configuration items to be placed under configuration management;SA-10(b)[2]requires the developer of the information system, system component, or information system service to:SA-10(b)[2][a]document the integrity of changes to organization-defined items under configuration management;SA-10(b)[2][b]manage the integrity of changes to organization-defined items under configuration management;SA-10(b)[2][c]control the integrity of changes to organization-defined items under configuration management;SA-10(c)requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service;SA-10(d)requires the developer of the information system, system component, or information system service to document:SA-10(d)[1]approved changes to the system, component, or service;SA-10(d)[2]the potential security impacts of such changes;SA-10(e)SA-10(e)[1]defines personnel to whom findings, resulting from security flaws and flaw resolution tracked within the system, component, or service, are to be reported;SA-10(e)[2]requires the developer of the information system, system component, or information system service to:SA-10(e)[2][a]track security flaws within the system, component, or service;SA-10(e)[2][b]track security flaw resolution within the system, component, or service; andSA-10(e)[2][c]report findings to organization-defined personnel.SA-10(1)SOFTWARE / FIRMWARE INTEGRITY VERIFICATIONDetermine if the organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.SA-10(2)ALTERNATIVE CONFIGURATION MANAGEMENT PROCESSESDetermine if the organization provides an alternative configuration management process with organizational personnel in the absence of a dedicated developer configuration management team.SA-10(3)HARDWARE INTEGRITY VERIFICATIONDetermine if the organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components.SA-10(4)TRUSTED GENERATIONDetermine if the organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of:SA-10(4)[1]security-relevant hardware descriptions with previous versions; andSA-10(4)[2]software/firmware source and object code with previous versions.SA-10(5)MAPPING INTEGRITY FOR VERSION CONTROLDetermine if the organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.SA-10(6)TRUSTED DISTRIBUTIONDetermine if the organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.SYSTEM AND SERVICES ACQUISITIONSA-11DEVELOPER SECURITY TESTING AND EVALUATIONDetermine if the organization:SA-11(a)requires the developer of the information system, system component, or information system service to create and implement a security plan;SA-11(b)SA-11(b)[1]defines the depth of testing/evaluation to be performed by the developer of the information system, system component, or information system service;SA-11(b)[2]defines the coverage of testing/evaluation to be performed by the developer of the information system, system component, or information system service;SA-11(b)[3]requires the developer of the information system, system component, or information system service to perform one or more of the following testing/evaluation at the organization-defined depth and coverage:SA-11(b)[3][a]unit testing/evaluation;SA-11(b)[3][b]integration testing/evaluation;SA-11(b)[3][c]system testing/evaluation; and/orSA-11(b)[3][d]regression testing/evaluation;SA-11(c)requires the developer of the information system, system component, or information system service to produce evidence of:SA-11(c)[1]the execution of the security assessment plan;SA-11(c)[2]the results of the security testing/evaluation;SA-11(d)requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process; andSA-11(e)requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation.SA-11(1)STATIC CODE ANALYSISDetermine if the organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.SA-11(2)THREAT AND VULNERABILITY ANALYSESDetermine if the organization requires the developer of the information system, system component, or information system service to perform:SA-11(2)[1]threat analyses of the as-built, system component, or service;SA-11(2)[2]vulnerability analyses of the as-built, system component, or service; andSA-11(2)[3]subsequent testing/evaluation of the as-built, system component, or service.SA-11(3)INDEPENDENT VERIFICATION OF ASSESSMENT PLANS / EVIDENCEDetermine if the organization:SA-11(3)(a)SA-11(3)(a)[1]defines independence criteria that an independent agent is required to satisfy;SA-11(3)(a)[2]requires an independent agent satisfying organization-defined independence criteria to verify:SA-11(3)(a)[2][a]the correct implementation of the developer security assessment plan;SA-11(3)(a)[2][b]the evidence produced during security testing/evaluation;SA-11(3)(b)ensures that the independent agent is either:SA-11(3)(b)[1]provided with sufficient information to complete the verification process; orSA-11(3)(b)[2]granted the authority to obtain such information.SA-11(4)MANUAL CODE REVIEWSDetermine if the organization:SA-11(4)[1]defines specific code for which the developer of the information system, system component, or information system service is required to perform a manual code review;SA-11(4)[2]defines processes, procedures, and/or techniques to be used when the developer performs a manual code review of organization-defined specific code; andSA-11(4)[3]requires the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code using organization-defined processes, procedures, and/or techniques.SA-11(5)PENETRATION TESTING / ANALYSISDetermine if the organization:SA-11(5)[1]defines for the developer of the information system, system component, or information system service:SA-11(5)[1][a]the breadth of penetration testing to be performed by the developer;SA-11(5)[1][b]the depth of penetration testing to be performed by the developer;SA-11(5)[2]defines constraints under which the developer is to perform penetration testing; andSA-11(5)[3]requires the developer of the information system, system component, or information system service to perform penetration testing at organization-defined breadth/depth and with organization-defined constraints.SA-11(6)ATTACK SURFACE REVIEWSDetermine if the organization requires the developer of the information system, system component, or information system service to perform attack surface reviews.SA-11(7)VERIFY SCOPE OF TESTING / EVALUATIONDetermine if the organization:SA-11(7)[1]defines the depth of testing/evaluation to ensure the scope of security/testing evaluation provides complete coverage of required security controls; andSA-11(7)[2]requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at the organization-defined depth of testing/evaluation.SA-11(8)DYNAMIC CODE ANALYSISDetermine if the organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.SYSTEM AND SERVICES ACQUISITIONSA-12SUPPLY CHAIN PROTECTIONDetermine if the organization:SA-12[1]defines security safeguards to be employed to protect against supply chain threats to the information system, system component, or information system service; andSA-12[2]protects against supply chain threats to the information system, system component, or information system service by employing organization-defined security safeguards as part of a comprehensive, defense-in-breadth information security strategy.SA-12(1)ACQUISITION STRATEGIES / TOOLS / METHODSDetermine if the organization:SA-12(1)[1]defines the following to be employed for the purchase of the information system, system component, or information system service from suppliers:SA-12(1)[1][a]tailored acquisition strategies;SA-12(1)[1][b]contract tools;SA-12(1)[1][c]procurement methods; andSA-12(1)[2]employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers.SA-12(2)SUPPLIER REVIEWSDetermine if the organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service.SA-12(3)TRUSTED SHIPPING AND WAREHOUSINGSA-12(1)[Withdrawn: Incorporated into SA-12(1)].SA-12(4)DIVERSITY OF SUPPLIERSSA-12(13)[Withdrawn: Incorporated into SA-12(13)].SA-12(5)LIMITATION OF HARMDetermine if the organization:SA-12(5)[1]defines security safeguards to be employed to limit harm from potential adversaries identifying and targeting the organizational supply chain; andSA-12(5)[2]employs organization-defined security safeguards to limit harm from potential adversaries identifying and targeting the organizational supply chain.SA-12(6)MINIMIZING PROCUREMENT TIMESA-12(1)[Withdrawn: Incorporated into SA-12(1)].SA-12(7)ASSESSMENTS PRIOR TO SELECTION / ACCEPTANCE / UPDATEDetermine if the organization conducts an assessment of the information system, system component, or information system service prior to:SA-12(7)[1]selection;SA-12(7)[2]acceptance; orSA-12(7)[3]update.SA-12(8)USE OF ALL-SOURCE INTELLIGENCEDetermine if the organization uses all-source intelligence analysis of:SA-12(8)[1]suppliers of the information system, system component, or information system service; andSA-12(8)[2]potential suppliers of the information system, system component, or information system service.SA-12(9)OPERATIONS SECURITYDetermine if the organization:SA-12(9)[1]defines Operations Security (OPSEC) safeguards to be employed in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service; andSA-12(9)[2]employs organization-defined OPSEC safeguards in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.SA-12(10)VALIDATE AS GENUINE AND NOT ALTEREDDetermine if the organization:SA-12(10)[1]defines security safeguards to be employed to validate that the information system or system component received is genuine and has not been altered; andSA-12(10)[2]employs organization-defined security safeguards to validate that the information system or system components received is genuine and has not been altered.SA-12(11)PENETRATION TESTING / ANALYSIS OF ELEMENTS, PROCESSES, AND ACTORSDetermine if the organization:SA-12(11)[1]defines supply chain:SA-12(11)[1][a]elements to be analyzed and/or tested;SA-12(11)[1][b]processes to be analyzed and/or tested;SA-12(11)[1][c]actors to be analyzed and/or tested;SA-12(11)[2]employs one or more of the following to analyze and/or test organization-defined supply chain elements, processes, and actors associated with the information system, system component, or information system service:SA-12(11)[2][a]organizational analysis;SA-12(11)[2][b]independent third party analysis;SA-12(11)[2][c]organizational penetration testing; and/orSA-12(11)[2][d]independent third-party penetration testing.SA-12(12)INTER-ORGANIZATIONAL AGREEMENTSDetermine if the organization establishes, with entities involved in the supply chain for the information system, system component, or information system service,:SA-12(12)[1]inter-organizational agreements; andSA-12(12)[2]inter-organizational procedures.SA-12(13)CRITICAL INFORMATION SYSTEM COMPONENTSDetermine if the organization:SA-12(13)[1]defines critical information system components for which security safeguards are to be employed to ensure an adequate supply of such components;SA-12(13)[2]defines security safeguards to be employed to ensure an adequate supply of organization-defined critical information components; andSA-12(13)[3]employs organization-defined security safeguards to ensure an adequate supply of organization-defined critical information system components.SA-12(14)IDENTITY AND TRACEABILITYDetermine if the organization:SA-12(14)[1]defines the following for the establishment and retention of unique identification:SA-12(14)[1][a]supply chain elements;SA-12(14)[1][b]supply chain processes;SA-12(14)[1][c]supply chain actors; andSA-12(14)[2]establishes and retains unique identification of organization-defined supply chain elements, processes, and actors for the information system, system component, or information system service.SA-12(15)PROCESSES TO ADDRESS WEAKNESSES OR DEFICIENCIESDetermine if the organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.SYSTEM AND SERVICES ACQUISITIONSA-13TRUSTWORTHINESSDetermine if the organization:SA-13(a)SA-13(a)[1]defines information system, system component, or information system service for which the trustworthiness required is to be described;SA-13(a)[2]describes the trustworthiness required in organization-defined information system, information system component, or information system service supporting its critical mission/business functions;SA-13(b)SA-13(b)[1]defines an assurance overlay to be implemented to achieve such trustworthiness; andSA-13(b)[2]organization implements the organization-defined assurance overlay to achieve such trustworthiness.SYSTEM AND SERVICES ACQUISITIONSA-14CRITICALITY ANALYSISDetermine if the organization:SA-14[1]defines information systems, information system components, or information system services requiring a criticality analysis to identify critical information system components and functions;SA-14[2]defines decision points in the system development life cycle when a criticality analysis is to be performed for organization-defined information systems, information system components, or information system services; andSA-14[3]identifies critical information system components and functions by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decisions points in the system development life cycle.SA-14(1)CRITICAL COMPONENTS WITH NO VIABLE ALTERNATIVE SOURCINGSA-20[Withdrawn: Incorporated into SA-20].SYSTEM AND SERVICES ACQUISITIONSA-15DEVELOPMENT PROCESS, STANDARDS, AND TOOLSDetermine if the organization:SA-15(a)requires the developer of the information system, system component, or information system service to follow a documented development process that:SA-15(a)(1)explicitly addresses security requirements;SA-15(a)(2)identifies the standards and tools used in the development process;SA-15(a)(3)SA-15(a)(3)[1]documents the specific tool options used in the development process;SA-15(a)(3)[2]documents the specific tool configurations used in the development process;SA-15(a)(4)SA-15(a)(4)[1]documents changes to the process and/or tools used in the development;SA-15(a)(4)[2]manages changes to the process and/or tools used in the development;SA-15(a)(4)[3]ensures the integrity of changes to the process and/or tools used in the development;SA-15(b)SA-15(b)[1]defines a frequency to review the development process, standards, tools, and tool options/configurations;SA-15(b)[2]defines security requirements to be satisfied by the process, standards, tools, and tool option/configurations selected and employed; andSA-15(b)[3]SA-15(b)[3][a]reviews the development process with the organization-defined frequency to determine if the process selected and employed can satisfy organization-defined security requirements;SA-15(b)[3][b]reviews the development standards with the organization-defined frequency to determine if the standards selected and employed can satisfy organization-defined security requirements;SA-15(b)[3][c]reviews the development tools with the organization-defined frequency to determine if the tools selected and employed can satisfy organization-defined security requirements; andSA-15(b)[3][d]reviews the development tool options/configurations with the organization-defined frequency to determine if the tool options/configurations selected and employed can satisfy organization-defined security requirements.SA-15(1)QUALITY METRICSDetermine if the organization:SA-15(1)(a)requires the developer of the information system, system component, or information system service to define quality metrics at the beginning of the development process;SA-15(1)(b)SA-15(1)(b)[1]defines a frequency to provide evidence of meeting the quality metrics;SA-15(1)(b)[2]defines program review milestones to provide evidence of meeting the quality metrics;SA-15(1)(b)[3]requires the developer of the information system, system component, or information system service to provide evidence of meeting the quality metrics one or more of the following:SA-15(1)(b)[3][a]with the organization-defined frequency;SA-15(1)(b)[3][b]in accordance with the organization-defined program review milestones; and/orSA-15(1)(b)[3][c]upon delivery of the information system, system component, or information system service.SA-15(2)SECURITY TRACKING TOOLSDetermine if the organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process.SA-15(3)CRITICALITY ANALYSISDetermine if the organization:SA-15(3)[1]defines the breadth of criticality analysis to be performed by the developer of the information system, system component, or information system service;SA-15(3)[2]defines the depth of criticality analysis to be performed by the developer of the information system, system component, or information system service;SA-15(3)[3]defines decision points in the system development life cycle when a criticality analysis is to be performed for the information system, system component, or information system service; andSA-15(3)[4]requires the developer of the information system, system component, or information system service to perform a criticality analysis at the organization-defined breadth/depth and at organization-defined decision points in the system development life cycle.SA-15(4)THREAT MODELING / VULNERABILITY ANALYSISDetermine if the organization:SA-15(4)[1]defines the breadth of threat modeling and vulnerability analysis to be performed by developers for the information system;SA-15(4)[2]defines the depth of threat modeling and vulnerability analysis to be performed by developers for the information system;SA-15(4)[3]defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used in threat modeling and vulnerability analysis;SA-15(4)[4]defines tools and methods to be employed in threat modeling and vulnerability analysis;SA-15(4)[5]defines acceptance criteria for evidence produced from threat modeling and vulnerability analysis;SA-15(4)[6]requires that developers perform threat modeling and a vulnerability analysis for the information system at the organization-defined breadth/depth that:SA-15(4)[6](a)uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels;SA-15(4)[6](b)employs organization-defined tools and methods; andSA-15(4)[6](c)produces evidence that meets organization-defined acceptance criteria.SA-15(5)ATTACK SURFACE REDUCTIONDetermine if the organization:SA-15(5)[1]defines thresholds to which attack surfaces are to be reduced; andSA-15(5)[2]requires the developer of the information system, system component, or information system service to reduce attack surfaces to organization-defined thresholds.SA-15(6)CONTINUOUS IMPROVEMENTDetermine if the organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process.SA-15(7)AUTOMATED VULNERABILITY ANALYSISDetermine if the organization:SA-15(7)(a)SA-15(7)(a)[1]defines tools to be used to perform automated vulnerability analysis of the information system, system component, or information system service;SA-15(7)(a)[2]requires the developer of the information system, system component, or information system service to perform an automated vulnerability analysis using organization-defined tools;SA-15(7)(b)requires the developer of the information system, system component, or information system service to determine the exploitation potential for discovered vulnerabilities;SA-15(7)(c)requires the developer of the information system, system component, or information system service to determine potential risk mitigations for delivered vulnerabilities;SA-15(7)(d)SA-15(7)(d)[1]defines personnel or roles to whom the output of the tools and results of the analysis are to be delivered; andSA-15(7)(d)[2]requires the developer of the information system, system component, or information system service to deliver the outputs of the tools and results of the analysis to organization-defined personnel or roles.SA-15(8)REUSE OF THREAT / VULNERABILITY INFORMATIONDetermine if the organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.SA-15(9)USE OF LIVE DATADetermine if the organization, for the information system, system component, or information system service:SA-15(9)[1]approves the use of live data in development and test environments;SA-15(9)[2]documents the use of live data in development and test environments; andSA-15(9)[3]controls the use of live data in development and test environments.SA-15(10)INCIDENT RESPONSE PLANDetermine if the organization requires the developer of the information system, system component, or information system service to provide an incident response plan.SA-15(11)ARCHIVE INFORMATION SYSTEM / COMPONENTDetermine if the organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review.SYSTEM AND SERVICES ACQUISITIONSA-16DEVELOPER-PROVIDED TRAININGDetermine if the organization:SA-16[1]defines training to be provided by the developer of the information system, system component, or information system service; andSA-16[2]requires the developer of the information system, system component, or information system service to provide organization-defined training on the correct use and operation of the implemented security functions, controls, and/or mechanisms.SYSTEM AND SERVICES ACQUISITIONSA-17DEVELOPER SECURITY ARCHITECTURE AND DESIGNDetermine if the organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:SA-17(a)is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture;SA-17(b)accurately and completely describes:SA-17(b)[1]the required security functionality;SA-17(b)[2]the allocation of security controls among physical and logical components; andSA-17(c)expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.SA-17(1)FORMAL POLICY MODELDetermine if the organization:SA-17(1)(a)SA-17(1)(a)[1]defines elements of the organizational security policy to be enforced under a formal policy model produced by the developer as an integral part of the development process for the information system, system component, or information system service;SA-17(1)(a)[2]requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, a formal policy model describing the organization-defined elements of organizational security policy to be enforced; andSA-17(1)(b)requires the developer of the information system, system component, or information system service to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented.SA-17(2)SECURITY-RELEVANT COMPONENTSDetermine if the organization requires the developer of the information system, system component, or information system service to:SA-17(2)(a)SA-17(2)(a)[1]define security-relevant hardware;SA-17(2)(a)[2]define security-relevant software;SA-17(2)(a)[3]define security-relevant firmware; andSA-17(2)(b)provide a rationale that the definition for security-relevant hardware, software, and firmware components is complete.SA-17(3)FORMAL CORRESPONDENCEDetermine if the organization requires the developer of the information system, system component, or information system service to:SA-17(3)(a)produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of:SA-17(3)(a)[1]exceptions;SA-17(3)(a)[2]error messages;SA-17(3)(a)[3]effects;SA-17(3)(b)show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;SA-17(3)(c)show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;SA-17(3)(d)show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; andSA-17(3)(e)describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware.SA-17(4)INFORMAL CORRESPONDENCEDetermine if the organization requires the developer of the information system, system component, or information system service to:SA-17(4)(a)produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of:SA-17(4)(a)[1]exceptions;SA-17(4)(a)[2]error messages;SA-17(4)(a)[3]effects;SA-17(4)(b)show via informal demonstration and/or convincing argument with formal methods as feasible that the descriptive top-level specification is consistent with the formal policy model;SA-17(4)(c)show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;SA-17(4)(d)show that the descriptive top-level specification is an accurate description of the interfaces to the security-relevant hardware, software, and firmware; andSA-17(4)(e)describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware.SA-17(5)CONCEPTUALLY SIMPLE DESIGNDetermine if the organization requires the developer of the information system, system component, or information system service to:SA-17(5)(a)design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; andSA-17(5)(b)internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.SA-17(6)STRUCTURE FOR TESTINGDetermine if the organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing.SA-17(7)STRUCTURE FOR LEAST PRIVILEGEDetermine if the organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.SYSTEM AND SERVICES ACQUISITIONSA-18TAMPER RESISTANCE AND DETECTIONDetermine if the organization implements a tamper protection program for the information system, system component, or information system service.SA-18(1)MULTIPLE PHASES OF SDLCDetermine if the organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including:SA-18(1)[1]design;SA-18(1)[2]development;SA-18(1)[3]integration;SA-18(1)[4]operations; andSA-18(1)[5]maintenance.SA-18(2)INSPECTION OF INFORMATION SYSTEMS, COMPONENTS, OR DEVICESDetermine if the organization:SA-18(2)[1]defines information systems, system components, or devices to be inspected to detect tampering;SA-18(2)[2]defines the frequency to inspect organization-defined information systems, system components, or devices to detect tampering;SA-18(2)[3]defines indications of need for inspection of organization-defined information systems, system components, or devices to detect tampering;SA-18(2)[4]inspects organization-defined information systems, system components, or devices to detect tampering, selecting one or more of the following:SA-18(2)[4][a]at random;SA-18(2)[4][b]with the organization-defined frequency; and/orSA-18(2)[4][c]upon organization-defined indications of need for inspection.SYSTEM AND SERVICES ACQUISITIONSA-19COMPONENT AUTHENTICITYDetermine if the organization:SA-19(a)develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system;SA-19(b)SA-19(b)[1]defines external reporting organizations to whom counterfeit information system components are to be reported;SA-19(b)[2]defines personnel or roles to whom counterfeit information system components are to be reported;SA-19(b)[3]reports counterfeit information system components to one or more of the following:SA-19(b)[3][a]the source of counterfeit component;SA-19(b)[3][b]the organization-defined external reporting organizations; and/orSA-19(b)[3][c]the organization-defined personnel or roles.SA-19(1)ANTI-COUNTERFEIT TRAININGDetermine if the organization:SA-19(1)[1]defines personnel or roles to be trained to detect counterfeit information system components (including hardware, software, and firmware); andSA-19(1)[2]trains organization-defined personnel or roles to detect counterfeit information system components (including hardware, software, and firmware).SA-19(2)CONFIGURATION CONTROL FOR COMPONENT SERVICE / REPAIRDetermine if the organization:SA-19(2)[1]defines information system components requiring configuration control to be maintained when awaiting service/repair;SA-19(2)[2]defines information system components requiring configuration control to be maintained when awaiting return to service; andSA-19(2)[3]maintains configuration control over organization-defined information system components awaiting service/repairs and serviced/repaired components awaiting return to service.SA-19(3)COMPONENT DISPOSALDetermine if the organization:SA-19(3)[1]defines techniques and methods to dispose of information system components; andSA-19(3)[2]disposes of information system components using organization-defined techniques and methods.SA-19(4)ANTI-COUNTERFEIT SCANNINGDetermine if the organization:SA-19(4)[1]defines a frequency to scan for counterfeit information system components; andSA-19(4)[2]scans for counterfeit information system components with the organization-defined frequency.SYSTEM AND SERVICES ACQUISITIONSA-20CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTSDetermine if the organization:SA-20[1]defines critical information system components to be re-implemented or custom developed; andSA-20[2]re-implements or custom develops organization-defined information system components.SYSTEM AND SERVICES ACQUISITIONSA-21DEVELOPER SCREENINGDetermine if the organization:SA-21[1]defines the information system, system component, or information system service for which the developer is to be screened;SA-21[2]defines official government duties to be used to determine appropriate access authorizations for the developer;SA-21[3]defines additional personnel screening criteria to be satisfied by the developer;SA-21[4]SA-21[4][a]requires that the developer of organization-defined information system, system component, or information system service have appropriate access authorizations as determined by assigned organization-defined official government duties; andSA-21[4][b]requires that the developer of organization-defined information system, system component, or information system service satisfy organization-defined additional personnel screening criteria.SA-21(1)VALIDATION OF SCREENINGDetermine if the organization:SA-21(1)[1]defines actions to be taken by the developer of the information system, system component, or information system service to ensure that the required access authorizations and screening criteria are satisfied; andSA-21(1)[2]requires the developer of the information system, system component, or information system service take organization-defined actions to ensure that the required access authorizations and screening criteria are satisfied.SYSTEM AND SERVICES ACQUISITIONSA-22UNSUPPORTED SYSTEM COMPONENTSDetermine if the organization:SA-22(a)replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer;SA-22(b)SA-22(b)[1]provides justification for the continued use of unsupported system components required to satisfy mission/business needs; andSA-22(b)[2]documents approval for the continued use of unsupported system components required to satisfy mission/business needs.SA-22(1)ALTERNATIVE SOURCES FOR CONTINUED SUPPORTDetermine if the organization:SA-22(1)[1]defines support from external providers to be provided for unsupported information system components;SA-22(1)[2]provides and/or obtains support for unsupported information system components from one or more of the following:SA-22(1)[2][a]in-house support; and/orSA-22(1)[2][b]organization-defined support from external providers.SYSTEM AND COMMUNICATIONS PROTECTIONSC-1SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURESDetermine if the organization:SC-1(a)(1)SC-1(a)(1)[1]develops and documents a system and communications protection policy that addresses:SC-1(a)(1)[1][a]purpose;SC-1(a)(1)[1][b]scope;SC-1(a)(1)[1][c]roles;SC-1(a)(1)[1][d]responsibilities;SC-1(a)(1)[1][e]management commitment;SC-1(a)(1)[1][f]coordination among organizational entities;SC-1(a)(1)[1][g]compliance;SC-1(a)(1)[2]defines personnel or roles to whom the system and communications protection policy is to be disseminated;SC-1(a)(1)[3]disseminates the system and communications protection policy to organization-defined personnel or roles;SC-1(a)(2)SC-1(a)(2)[1]develops and documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls;SC-1(a)(2)[2]defines personnel or roles to whom the procedures are to be disseminated;SC-1(a)(2)[3]disseminates the procedures to organization-defined personnel or roles;SC-1(b)(1)SC-1(b)(1)[1]defines the frequency to review and update the current system and communications protection policy;SC-1(b)(1)[2]reviews and updates the current system and communications protection policy with the organization-defined frequency;SC-1(b)(2)SC-1(b)(2)[1]defines the frequency to review and update the current system and communications protection procedures; andSC-1(b)(2)[2]reviews and updates the current system and communications protection procedures with the organization-defined frequency.SYSTEM AND COMMUNICATIONS PROTECTIONSC-2APPLICATION PARTITIONINGDetermine if the information system separates user functionality (including user interface services) from information system management functionality.SC-2(1)INTERFACES FOR NON-PRIVILEGED USERSDetermine if the information system prevents the presentation of information system management-related functionality at an interface for non-privileged users.SYSTEM AND COMMUNICATIONS PROTECTIONSC-3SECURITY FUNCTION ISOLATIONDetermine if the information system isolates security functions from nonsecurity functions.SC-3(1)HARDWARE SEPARATIONDetermine if the information system utilizes underlying hardware separation mechanisms to implement security function isolation.SC-3(2)ACCESS/FLOW CONTROL FUNCTIONSDetermine if the information system isolates security functions enforcing: SC-3(2)[1]access control from nonsecurity functions;SC-3(2)[2]information flow control from nonsecurity functions;SC-3(2)[3]access control from other security functions; andSC-3(2)[4]information flow control from other security functions.SC-3(3)MINIMIZE NONSECURITY FUNCTIONALITYDetermine if the organization implements an information system isolation boundary to minimize the number of nonsecurity functions included within the boundary containing security functions.SC-3(4)MODULE COUPLING AND COHESIVENESSDetermine if the organization implements security functions as largely independent modules that:SC-3(4)[1]maximize internal cohesiveness within modules; andSC-3(4)[2]minimize coupling between modules.SC-3(5)LAYERED STRUCTURESDetermine if the organization implements security functions as a layered structure:SC-3(5)[1]minimizing interactions between layers of the design; andSC-3(5)[2]avoiding any dependence by lower layers on the functionality or correctness of higher layers.SYSTEM AND COMMUNICATIONS PROTECTIONSC-4INFORMATION IN SHARED RESOURCESDetermine if the information system prevents unauthorized and unintended information transfer via shared system resources.SC-4(1)SECURITY LEVELSSC-4[Withdrawn: Incorporated into SC-4].SC-4(2)PERIODS PROCESSINGDetermine if:SC-4(2)[1]the organization defines procedures to be employed to ensure unauthorized information transfer via shared resources is prevented when system processing explicitly switches between different information classification levels or security categories; andSC-4(2)[2]the information system prevents unauthorized information transfer via shared resources in accordance with organization-defined procedures when system processing explicitly switches between different information classification levels or security categories.SYSTEM AND COMMUNICATIONS PROTECTIONSC-5DENIAL OF SERVICE PROTECTIONDetermine if:SC-5[1]the organization defines types of denial of service attacks or reference to source of such information for the information system to protect against or limit the effects;SC-5[2]the organization defines security safeguards to be employed by the information system to protect against or limit the effects of organization-defined types of denial of service attacks; andSC-5[3]the information system protects against or limits the effects of the organization-defined denial or service attacks (or reference to source for such information) by employing organization-defined security safeguards.SC-5(1)RESTRICT INTERNAL USERSDetermine if:SC-5(1)[1]the organization defines denial of service attacks for which the information system is required to restrict the ability of individuals to launch such attacks against other information systems; andSC-5(1)[2]the information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems.SC-5(2)EXCESS CAPACITY / BANDWIDTH / REDUNDANCYDetermine if the information system, to limit the effects of information flooding denial of service attacks, manages:SC-5(2)[1]excess capacity;SC-5(2)[2]bandwidth; orSC-5(2)[3]other redundancy.SC-5(3)DETECTION / MONITORINGDetermine if the organization:SC-5(3)(a)SC-5(3)(a)[1]defines monitoring tools to be employed to detect indicators of denial of service attacks against the information system;SC-5(3)(a)[2]employs organization-defined monitoring tools to detect indicators of denial of service attacks against the information system;SC-5(3)(b)SC-5(3)(b)[1]defines information system resources to be monitored to determine if sufficient resources exist to prevent effective denial of service attacks; andSC-5(3)(b)[2]monitors organization-defined information system resources to determine if sufficient resources exist to prevent effective denial of service attacks.SYSTEM AND COMMUNICATIONS PROTECTIONSC-6RESOURCE AVAILABILITYDetermine if:SC-6[1]the organization defines resources to be allocated to protect the availability of resources;SC-6[2]the organization defines security safeguards to be employed to protect the availability of resources;SC-6[3]the information system protects the availability of resources by allocating organization-defined resources by one or more of the following:SC-6[3][a]priority;SC-6[3][b]quota; and/orSC-6[3][c]organization-defined safeguards.SYSTEM AND COMMUNICATIONS PROTECTIONSC-7BOUNDARY PROTECTIONDetermine if the information system:SC-7(a)SC-7(a)[1]monitors communications at the external boundary of the information system;SC-7(a)[2]monitors communications at key internal boundaries within the system;SC-7(a)[3]controls communications at the external boundary of the information system;SC-7(a)[4]controls communications at key internal boundaries within the system;SC-7(b)implements subnetworks for publicly accessible system components that are either:SC-7(b)[1]physically separated from internal organizational networks; and/orSC-7(b)[2]logically separated from internal organizational networks; andSC-7(c)connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.SC-7(1)PHYSICALLY SEPARATED SUBNETWORKSSC-7[Withdrawn: Incorporated into SC-7].SC-7(2)PUBLIC ACCESSSC-7[Withdrawn: Incorporated into SC-7].SC-7(3)ACCESS POINTSDetermine if the organization limits the number of external network connections to the information system.SC-7(4)EXTERNAL TELECOMMUNICATIONS SERVICESDetermine if the organization:SC-7(4)(a)implements a managed interface for each external telecommunication service;SC-7(4)(b)establishes a traffic flow policy for each managed interface;SC-7(4)(c)protects the confidentiality and integrity of the information being transmitted across each interface;SC-7(4)(d)documents each exception to the traffic flow policy with:SC-7(4)(d)[1]a supporting mission/business need;SC-7(4)(d)[2]duration of that need;SC-7(4)(e)SC-7(4)(e)[1]defines a frequency to review exceptions to traffic flow policy;SC-7(4)(e)[2]reviews exceptions to the traffic flow policy with the organization-defined frequency; andSC-7(4)(e)[3]removes traffic flow policy exceptions that are no longer supported by an explicit mission/business needSC-7(5)DENY BY DEFAULT / ALLOW BY EXCEPTIONDetermine if the information system, at managed interfaces:SC-7(5)[1]denies network traffic by default; andSC-7(5)[2]allows network traffic by exception.SC-7(6)RESPONSE TO RECOGNIZED FAILURESSC-7(18)[Withdrawn: Incorporated into SC-7(18)].SC-7(7)PREVENT SPLIT TUNNELING FOR REMOTE DEVICESDetermine if the information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.SC-7(8)ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERSDetermine if:SC-7(8)[1]the organization defines internal communications traffic to be routed to external networks;SC-7(8)[2]the organization defines external networks to which organization-defined internal communications traffic is to be routed; andSC-7(8)[3]the information system routes organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers at managed interfaces.SC-7(9)RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFICDetermine if the information system:SC-7(9)(a)SC-7(9)(a)[1]detects outgoing communications traffic posing a threat to external information systems; andSC-7(9)(a)[2]denies outgoing communications traffic posing a threat to external information systems; andSC-7(9)(b)audits the identity of internal users associated with denied communications.SC-7(10)PREVENT UNAUTHORIZED EXFILTRATIONDetermine if the organization prevents the unauthorized exfiltration of information across managed interfaces.SC-7(11)RESTRICT INCOMING COMMUNICATIONS TRAFFICDetermine if:SC-7(11)[1]the organization defines internal communications traffic to be routed to external networks;SC-7(11)[2]the organization defines authorized destinations only to which that incoming communications from organization-defined authorized sources may be routed; andSC-7(11)[3]the information system only allows incoming communications from organization-defined authorized sources to be routed to organization-defined authorized destinations.SC-7(12)HOST-BASED PROTECTIONDetermine if the organization:SC-7(12)[1]defines host-based boundary protection mechanisms;SC-7(12)[2]defines information system components where organization-defined host-based boundary protection mechanisms are to be implemented; andSC-7(12)[3]implements organization-defined host-based boundary protection mechanisms at organization-defined information system components.SC-7(13)ISOLATION OF SECURITY TOOLS / MECHANISMS / SUPPORT COMPONENTSDetermine if the organization:SC-7(13)[1]defines information security tools, mechanisms, and support components to be isolated from other internal information system components; andSC-7(13)[2]isolates organization-defined information security tools, mechanisms, and support components from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.SC-7(14)PROTECTS AGAINST UNAUTHORIZED PHYSICAL CONNECTIONSDetermine if the organization:SC-7(14)[1]defines managed interfaces to be protected against unauthorized physical connections; andSC-7(14)[2]protects against unauthorized physical connections at organization-defined managed interfaces.SC-7(15)ROUTE PRIVILEGED NETWORK ACCESSESDetermine if the information system routes all networked, privileged accesses through a dedicated, managed interface for the purposes of:SC-7(15)[1]access control; andSC-7(15)[2]auditing.SC-7(16)PREVENT DISCOVERY OF COMPONENTS / DEVICESDetermine if the information system prevents discovery of specific system components composing a managed interface.SC-7(17)AUTOMATED ENFORCEMENT OF PROTOCOL FORMATSDetermine if the information system enforces adherence to protocol formats.SC-7(18)FAIL SECUREDetermine if the information system fails securely in the event of an operational failure of a boundary protection device.SC-7(19)BLOCKS COMMUNICATION FROM NON-ORGANIZATIONALLY CONFIGURED HOSTSDetermine if the organization:SC-7(19)[1]defines communication clients that are independently configured by end users and external service providers; andSC-7(19)[2]blocks, between organization-defined communication clients that are independently configured by end users and external service providers,:SC-7(19)[2][a]inbound communications traffic; andSC-7(19)[2][b]outbound communications traffic.SC-7(20)DYNAMIC ISOLATION / SEGREGATIONDetermine if:SC-7(20)[1]the organization defines information system components to be dynamically isolated/segregated from other components of the system; andSC-7(20)[2]the information system provides the capability to dynamically isolate/segregate organization-defined information system components from other components of the system.SC-7(21)ISOLATION OF INFORMATION SYSTEM COMPONENTSDetermine if the organization:SC-7(21)[1]defines information system components to be separated by boundary protection mechanisms;SC-7(21)[2]defines missions and/or business functions to be supported by organization-defined information system components separated by boundary protection mechanisms; andSC-7(21)[3]employs boundary protection mechanisms to separate organization-defined information system components supporting organization-defined missions and/or business functions.SC-7(22)SEPARATE SUBNETS FOR CONNECTING TO DIFFERENT SECURITY DOMAINSDetermine if the information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains.SC-7(23)DISABLE SENDER FEEDBACK ON PROTOCOL VALIDATION FAILUREDetermine if the information system disables feedback to senders on protocol format validation failure.SYSTEM AND COMMUNICATIONS PROTECTIONSC-8TRANSMISSION CONFIDENTIALITY AND INTEGRITYDetermine if the information system protects one or more of the following:SC-8[1]confidentiality of transmitted information; and/orSC-8[2]integrity of transmitted information.SC-8(1)CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTIONDetermine if:SC-8(1)[1]the organization defines physical safeguards to be implemented to protect information during transmission when cryptographic mechanisms are not implemented; andSC-8(1)[2]the information system implements cryptographic mechanisms to do one or more of the following during transmission unless otherwise protected by organization-defined alternative physical safeguards:SC-8(1)[2][a]prevent unauthorized disclosure of information; and/orSC-8(1)[2][b]detect changes to information.SC-8(2)PRE / POST TRANSMISSION HANDLINGDetermine if the information system maintains one or more of the following:SC-8(2)[1]confidentiality of information during preparation for transmission;SC-8(2)[2]confidentiality of information during reception; and/orSC-8(2)[3]integrity of information during preparation for transmission;SC-8(2)[4]integrity of information during reception.SC-8(3)CRYPTOGRAPHIC PROTECTION FOR MESSAGE EXTERNALSDetermine if:SC-8(3)[1]the organization defines alternative physical safeguards to be implemented to protect message externals; andSC-8(3)[2]the information system implements cryptographic mechanisms to protect message externals unless otherwise protected by organization-defined alternative physical safeguards.SC-8(4)CONCEAL / RANDOMIZE COMMUNICATIONSDetermine if:SC-8(4)[1]the organization defines alternative physical safeguards to be implemented to protect against unauthorized disclosure of communication patterns;SC-8(4)[2]the information system, unless otherwise protected by organization-defined alternative physical safeguards, implements cryptographic mechanisms to:SC-8(4)[2][a]conceal communication patterns; orSC-8(4)[2][b]randomize communication patterns.SYSTEM AND COMMUNICATIONS PROTECTIONSC-9TRANSMISSION CONFIDENTIALITYSC-8[Withdrawn: Incorporated into SC-8].SYSTEM AND COMMUNICATIONS PROTECTIONSC-10NETWORK DISCONNECTDetermine if:SC-10[1]the organization defines a time period of inactivity after which the information system terminates a network connection associated with a communications session; andSC-10[2]the information system terminates the network connection associated with a communication session at the end of the session or after the organization-defined time period of inactivity.SYSTEM AND COMMUNICATIONS PROTECTIONSC-11TRUSTED PATHDetermine if:SC-11[1]the organization defines security functions of the information system;SC-11[2]the organization-defined security functions include at a minimum, information system authentication and re-authentication; andSC-11[3]the information system establishes a trusted communications path between the user and the organization-defined security functions of the system.SC-11(1)LOGICAL ISOLATIONDetermine if the information system provides a trusted communications path that is:SC-11(1)[1]logically isolated; andSC-11(1)[2]distinguishable from other paths.SYSTEM AND COMMUNICATIONS PROTECTIONSC-12CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENTDetermine if the organization:SC-12[1]defines requirements for cryptographic key:SC-12[1][a]generation;SC-12[1][b]distribution;SC-12[1][c]storage;SC-12[1][d]access;SC-12[1][e]destruction; andSC-12[2]establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction.SC-12(1)AVAILABILITYDetermine if the organization maintains availability of information in the event of the loss of cryptographic keys by users.SC-12(2)SYMMETRIC KEYSDetermine if the organization produces, controls, and distributes symmetric cryptographic keys using one of the following: SC-12(2)[1]NIST FIPS-compliant key management technology and processes; orSC-12(2)[2]NSA-approved key management technology and processes.SC-12(3)ASYMMETRIC KEYSDetermine if the organization produces, controls, and distributes asymmetric cryptographic keys using one of the following: SC-12(3)[1]NSA-approved key management technology and processes;SC-12(3)[2]approved PKI Class 3 certificates or prepositioned keying material; orSC-12(3)[3]approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key.SC-12(4)PKI CERTIFICATESSC-12[Withdrawn: Incorporated into SC-12].SC-12(5)PKI CERTIFICATES / HARDWARE TOKENSSC-12[Withdrawn: Incorporated into SC-12].SYSTEM AND COMMUNICATIONS PROTECTIONSC-13CRYPTOGRAPHIC PROTECTIONDetermine if:SC-13[1]the organization defines cryptographic uses; andSC-13[2]the organization defines the type of cryptography required for each use; andSC-13[3]the information system implements the organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.SC-13(1)FIPS-VALIDATED CRYPTOGRAPHYSC-13[Withdrawn: Incorporated into SC-13].SC-13(2)NSA-APPROVED CRYPTOGRAPHYSC-13[Withdrawn: Incorporated into SC-13].SC-13(3)INDIVIDUALS WITHOUT FORMAL ACCESS APPROVALSSC-13[Withdrawn: Incorporated into SC-13].SC-13(4)DIGITAL SIGNATURESSC-13[Withdrawn: Incorporated into SC-13].SYSTEM AND COMMUNICATIONS PROTECTIONSC-14PUBLIC ACCESS PROTECTIONSAC-2AC-3AC-5AC-6SI-3SI-4SI-5SI-7SI-10[Withdrawn: Capability provided by AC-2, AC-3, AC-5, AC-6, SI-3, SI-4, SI-5, SI-7, SI-10].SYSTEM AND COMMUNICATIONS PROTECTIONSC-15COLLABORATIVE COMPUTING DEVICESDetermine if:SC-15(a)SC-15(a)[1]the organization defines exceptions where remote activation of collaborative computing devices is to be allowed;SC-15(a)[2]the information system prohibits remote activation of collaborative computing devices, except for organization-defined exceptions where remote activation is to be allowed; andSC-15(b)the information system provides an explicit indication of use to users physically present at the devices.SC-15(1)PHYSICAL DISCONNECTDetermine if the information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use.SC-15(2)BLOCKING INBOUND / OUTBOUND COMMUNICATIONS TRAFFICSC-7[Withdrawn: Incorporated into SC-7].SC-15(3)DISABLING / REMOVAL IN SECURE WORK AREASDetermine if the organization:SC-15(3)[1]defines information systems or information system components from which collaborative computing devices are to be disabled or removed;SC-15(3)[2]defines secure work areas where collaborative computing devices are to be disabled or removed from information systems or information system components placed in such work areas; andSC-15(3)[3]disables or removes collaborative computing devices from organization-defined information systems or information system components in organization-defined secure work areas.SC-15(4)EXPLICITLY INDICATE CURRENT PARTICIPANTSDetermine if:SC-15(4)[1]the organization defines online meetings and teleconferences for which an explicit indication of current participants is to be provided; andSC-15(4)[2]the information system provides an explicit indication of current participants in organization-defined meetings and teleconferences.SYSTEM AND COMMUNICATIONS PROTECTIONSC-16TRANSMISSION OF SECURITY ATTRIBUTESDetermine if:SC-16[1]the organization defines security attributes to be associated with information exchanged:SC-16[1][a]between information systems;SC-16[1][b]between system components;SC-16[2]the information system associates organization-defined security attributes with information exchanged:SC-16[2][a]between information systems; andSC-16[2][b]between system components.SC-16(1)INTEGRITY VALIDATIONDetermine if the information system validates the integrity of transmitted security attributes.SYSTEM AND COMMUNICATIONS PROTECTIONSC-17PUBLIC KEY INFRASTRUCTURE CERTIFICATESDetermine if the organization:SC-17[1]defines a certificate policy for issuing public key certificates;SC-17[2]issues public key certificates:SC-17[2][a]under an organization-defined certificate policy: orSC-17[2][b]obtains public key certificates from an approved service provider.SYSTEM AND COMMUNICATIONS PROTECTIONSC-18MOBILE CODEDetermine if the organization:SC-18(a)defines acceptable and unacceptable mobile code and mobile code technologies;SC-18(b)SC-18(b)[1]establishes usage restrictions for acceptable mobile code and mobile code technologies;SC-18(b)[2]establishes implementation guidance for acceptable mobile code and mobile code technologies;SC-18(c)SC-18(c)[1]authorizes the use of mobile code within the information system;SC-18(c)[2]monitors the use of mobile code within the information system; andSC-18(c)[3]controls the use of mobile code within the information system.SC-18(1)IDENTIFY UNACCEPTABLE CODE / TAKE CORRECTION ACTIONSDetermine if:SC-18(1)[1]the organization defines unacceptable mobile code to be identified by the information system;SC-18(1)[2]the organization defines correctives actions to be taken when the information system identifies organization-defined unacceptable mobile code;SC-18(1)[3]the information system:SC-18(1)[3][a]identifies organization-defined unacceptable mobile code; andSC-18(1)[3][b]takes organization-defined corrective actions.SC-18(2)ACQUISITION / DEVELOPMENT / USEDetermine if the organization:SC-18(2)[1]defines requirements for:SC-18(2)[1][a]the acquisition of mobile code;SC-18(2)[1][b]the development of mobile code;SC-18(2)[1][c]the use of mobile code; andSC-18(2)[2]ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets organization-defined mobile code requirements.SC-18(3)PREVENT DOWNLOADING / EXECUTIONDetermine if:SC-18(3)[1]the organization defines unacceptable mobile code to be prevented from downloading and execution;SC-18(3)[2]the information system prevents the:SC-18(3)[2][a]download of organization-defined unacceptable mobile code; andSC-18(3)[2][b]execution of organization-defined unacceptable mobile code.SC-18(4)PREVENT AUTOMATIC EXECUTIONDetermine if:SC-18(4)[1]the organization defines software applications in which the automatic execution of mobile code is to be prohibited;SC-18(4)[2]the organization defines actions to be enforced by the information system prior to executing mobile code;SC-18(4)[3]the information system prevents the automatic execution of mobile code in the organization-defined software applications; andSC-18(4)[4]the information system enforces organization-defined actions prior to executing the code.SC-18(5)ALLOW EXECUTION ONLY IN CONFINED ENVIRONMENTSDetermine if the organization allows execution of permitted mobile code only in confined virtual machine environments.SYSTEM AND COMMUNICATIONS PROTECTIONSC-19VOICE OVER INTERNET PROTOCOLDetermine if the organization:SC-19(a)SC-19(a)[1]establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;SC-19(a)[2]establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;SC-19(b)SC-19(b)[1]authorizes the use of VoIP within the information system;SC-19(b)[2]monitors the use of VoIP within the information system; andSC-19(b)[3]controls the use of VoIP within the information system.SYSTEM AND COMMUNICATIONS PROTECTIONSC-20SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)Determine if the information system:SC-20(a)provides additional data origin and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries;SC-20(b)provides the means to, when operating as part of a distributed, hierarchical namespace:SC-20(b)[1]indicate the security status of child zones; andSC-20(b)[2]enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).SC-20(1)CHILD SUBSPACESSC-20[Withdrawn: Incorporated into SC-20].SC-20(2)DATA ORIGIN / DATA INTEGRITYDetermine if the information system provides data origin and integrity protection artifacts for internal name/address resolution queries.SYSTEM AND COMMUNICATIONS PROTECTIONSC-21SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)Determine if the information system: SC-21[1]requests data origin authentication on the name/address resolution responses the system receives from authoritative sources;SC-21[2]requests data integrity verification on the name/address resolution responses the system receives from authoritative sources;SC-21[3]performs data origin authentication on the name/address resolution responses the system receives from authoritative sources; andSC-21[4]performs data integrity verification on the name/address resolution responses the system receives from authoritative sources.SC-21(1)DATA ORIGIN / INTEGRITYSC-21[Withdrawn: Incorporated into SC-21].SYSTEM AND COMMUNICATIONS PROTECTIONSC-22ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICEDetermine if the information systems that collectively provide name/address resolution service for an organization: SC-22[1]are fault tolerant; andSC-22[2]implement internal/external role separation.SYSTEM AND COMMUNICATIONS PROTECTIONSC-23SESSION AUTHENTICITYDetermine if the information system protects the authenticity of communications sessions.SC-23(1)INVALIDATE SESSION IDENTIFIERS AT LOGOUTDetermine if the information system invalidates session identifiers upon user logout or other session termination.SC-23(2)USER-INITIATED LOGOUTS / MESSAGE DISPLAYSAC-12(1)[Withdrawn: Incorporated into AC-12(1)].SC-23(3)UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATIONDetermine if:SC-23(3)[1]the organization defines randomness requirements for generating a unique session identifier for each session;SC-23(3)[2]the information system generates a unique session identifier for each session with organization-defined randomness requirements; andSC-23(3)[3]the information system recognizes only session identifiers that are system-generated.SC-23(4)UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATIONSC-23(3)[Withdrawn: Incorporated into SC-23(3)].SC-23(5)ALLOWED CERTIFICATE AUTHORITIESDetermine if:SC-23(5)[1]the organization defines certificate authorities to be allowed for verification of the establishment of protected sessions; andSC-23(5)[2]the information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.SYSTEM AND COMMUNICATIONS PROTECTIONSC-24FAIL IN KNOWN STATEDetermine if:SC-24[1]the organization defines a known-state to which the information system is to fail in the event of a system failure;SC-24[2]the organization defines types of failures for which the information system is to fail to an organization-defined known-state;SC-24[3]the organization defines system state information to be preserved in the event of a system failure;SC-24[4]the information system fails to the organization-defined known-state for organization-defined types of failures; andSC-24[5]the information system preserves the organization-defined system state information in the event of a system failure.SYSTEM AND COMMUNICATIONS PROTECTIONSC-25THIN NODESDetermine if the organization:SC-25[1]defines information system components to be employed with minimal functionality and information storage; andSC-25[2]employs organization-defined information system components with minimal functionality and information storage.SYSTEM AND COMMUNICATIONS PROTECTIONSC-26HONEY POTSDetermine if the information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks.SC-26(1)DETECTION OF MALICIOUS CODESC-35[Withdrawn: Incorporated into SC-35].SYSTEM AND COMMUNICATIONS PROTECTIONSC-27PLATFORM-INDEPENDENT APPLICATIONSDetermine if:SC-27[1]the organization defines platform-independent applications; andSC-27[2]the information system includes organization-defined platform-independent applications.SYSTEM AND COMMUNICATIONS PROTECTIONSC-28PROTECTION OF INFORMATION AT RESTDetermine if:SC-28[1]the organization defines information at rest requiring one or more of the following:SC-28[1][a]confidentiality protection; and/orSC-28[1][b]integrity protection;SC-28[2]the information system protects:SC-28[2][a]the confidentiality of organization-defined information at rest; and/orSC-28[2][b]the integrity of organization-defined information at rest.SC-28(1)CRYPTOGRAPHIC PROTECTIONSDetermine if:SC-28(1)[1]the organization defines information requiring cryptographic protection;SC-28(1)[2]the organization defines information system components with organization-defined information requiring cryptographic protection; andSC-28(1)[3]the information system employs cryptographic mechanisms to prevent unauthorized disclosure and modification of organization-defined information on organization-defined information system components.SC-28(2)OFF-LINE STORAGEDetermine if the organization:SC-28(2)[1]defines information to be removed from online storage and stored off-line in a secure location; andSC-28(2)[2]removes organization-defined information from online storage; andSC-28(2)[3]stores such information off-line in a secure location.SYSTEM AND COMMUNICATIONS PROTECTIONSC-29HETEROGENEITYDetermine if the organization:SC-29[1]defines information system components requiring a diverse set of information technologies to be employed in the implementation of the information system; andSC-29[2]employs a diverse set of information technologies for organization-defined information system components in the implementation of the information system.SC-29(1)VIRTUALIZATION TECHNIQUESDetermine if the organization:SC-29(1)[1]defines a frequency to change the diversity of operating systems and applications deployed using virtualization techniques; andSC-29(1)[2]employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed with the organization-defined frequency.SYSTEM AND COMMUNICATIONS PROTECTIONSC-30CONCEALMENT AND MISDIRECTIONDetermine if the organization:SC-30[1]defines concealment and misdirection techniques to be employed to confuse and mislead adversaries potentially targeting organizational information systems;SC-30[2]defines information systems for which organization-defined concealment and misdirection techniques are to be employed;SC-30[3]defines time periods to employ organization-defined concealment and misdirection techniques for organization-defined information systems; andSC-30[4]employs organization-defined concealment and misdirection techniques for organization-defined information systems at organization-defined time periods to confuse and mislead adversaries.SC-30(1)VIRTUALIZATION TECHNIQUESSC-29(1)[Withdrawn: Incorporated into SC-29(1)].SC-30(2)RANDOMNESSDetermine if the organization:SC-30(2)[1]defines techniques to be employed to introduce randomness into organizational operations and assets; andSC-30(2)[2]employs organization-defined techniques to introduce randomness into organizational operations and assets.SC-30(3)CHANGE PROCESSING / STORAGE LOCATIONSDetermine if the organization:SC-30(3)[1]defines processing and/or storage locations to be changed at time intervals specified by the organization;SC-30(3)[2]defines a frequency to change the location of organization-defined processing and/or storage; andSC-30(3)[3]changes the location of organization-defined processing and/or storage at one of the following:SC-30(3)[3][a]organization-defined time intervals; orSC-30(3)[3][b]random time intervals.SC-30(4)MISLEADING INFORMATIONDetermine if the organization:SC-30(4)[1]defines information system components in which to employ realistic, but misleading information regarding its security state or posture; andSC-30(4)[2]employs realistic, but misleading information in organization-defined information system components with regard to its security state or posture.SC-30(5)CONCEALMENT OF SYSTEM COMPONENTSDetermine if the organization:SC-30(5)[1]defines techniques to be employed to hide or conceal information system components;SC-30(5)[2]defines information system components to be hidden or concealed using organization-defined techniques; andSC-30(5)[3]employs organization-defined techniques to hide or conceal organization-defined information system components.SYSTEM AND COMMUNICATIONS PROTECTIONSC-31COVERT CHANNEL ANALYSISDetermine if the organization:SC-31(a)performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for one or more of the following:SC-31(a)[1]covert storage channels; and/orSC-31(a)[2]covert timing channels; andSC-31(b)estimates the maximum bandwidth of those channels.SC-31(1)TEST COVERT CHANNELS FOR EXPLOITABILITYDetermine if the organization tests a subset of identified covert channels to determine which channels are exploitable.SC-31(2)MAXIMUM BANDWIDTHDetermine if the organization:SC-31(2)[1]defines values to be employed as the maximum bandwidth allowed for identified covert channels; andSC-31(2)[2]reduces the maximum bandwidth to organization-defined values for one or more of the following identified:SC-31(2)[2][a]covert storage channels; and/orSC-31(2)[2][b]covert timing channels.SC-31(3)MEASURE BANDWIDTH IN OPERATIONAL ENVIRONMENTSDetermine if the organization:SC-31(3)[1]defines subset of identified covert channels whose bandwidth is to be measured in the operational environment of the information system; andSC-31(3)[2]measures the bandwidth of the organization-defined subset of identified covert channels in the operational environment of the information system.SYSTEM AND COMMUNICATIONS PROTECTIONSC-32INFORMATION SYSTEM PARTITIONINGDetermine if the organization:SC-32[1]defines circumstances for physical separation of information system components into information system partitions;SC-32[2]defines information system components to reside in separate physical domains or environments based on organization-defined circumstances for physical separation of components; andSC-32[3]partitions the information system into organization-defined information system components residing in separate physical domains or environments based on organization-defined circumstances for physical separation of components.SYSTEM AND COMMUNICATIONS PROTECTIONSC-33TRANSMISSION PREPARATION INTEGRITYSC-8[Withdrawn: Incorporated into SC-8].SYSTEM AND COMMUNICATIONS PROTECTIONSC-34NON-MODIFIABLE EXECUTABLE PROGRAMSDetermine if:SC-34[1]the organization defines information system components for which the operating environment and organization-defined applications are to be loaded and executed from hardware-enforced, read-only media;SC-34[2]the organization defines applications to be loaded and executed from hardware-enforced, read-only media;SC-34[3]the information system, at organization-defined information system components:SC-34[3](a)loads and executes the operating environment from hardware-enforced, read-only media; andSC-34[3](b)loads and executes organization-defined applications from hardware-enforced, read-only media.SC-34(1)NO WRITABLE STORAGEDetermine if the organization:SC-34(1)[1]defines information system components to be employed with no writeable storage; andSC-34(1)[2]employs organization-defined information system components with no writeable storage that is persistent across component restart or power on/off.SC-34(2)INTEGRITY PROTECTION/READ-ONLY MEDIADetermine if the organization:SC-34(2)[1]protects the integrity of the information prior to storage on read-only media; andSC-34(2)[2]controls the media after such information has been recorded onto the media.SC-34(3)HARDWARE-BASED PROTECTIONDetermine if the organization:SC-34(3)(a)SC-34(3)(a)[1]defines information system firmware components for which hardware-based, write-protection is to be employed;SC-34(3)(a)[2]employs hardware-based, write-protection for organization-defined information system firmware components;SC-34(3)(b)SC-34(3)(b)[1]defines individuals authorized to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode; andSC-34(3)(b)[2]implements specific procedures for organization-defined authorized individuals to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.SYSTEM AND COMMUNICATIONS PROTECTIONSC-35HONEYCLIENTSDetermine if the information system includes components that proactively seek to identify malicious websites and/or web-based malicious code.SYSTEM AND COMMUNICATIONS PROTECTIONSC-36DISTRIBUTED PROCESSING AND STORAGEDetermine if the organization:SC-36[1]defines processing and storage to be distributed across multiple physical locations; andSC-36[2]distributes organization-defined processing and storage across multiple physical locations.SC-36(1)POLLING TECHNIQUESDetermine if the organization:SC-36(1)[1]defines distributed processing and storage components for which polling techniques are to be employed to identify potential faults, errors, or compromises; andSC-36(1)[2]employs polling techniques to identify potential faults, errors, or compromises to organization-defined distributed processing and storage components.SYSTEM AND COMMUNICATIONS PROTECTIONSC-37OUT-OF-BAND CHANNELSDetermine if the organization:SC-37[1]defines out-of-band channels to be employed for the physical delivery or electronic transmission of information, information system components, or devices to individuals or information systems;SC-37[2]defines information, information system components, or devices for which physical delivery or electronic transmission of such information, information system components, or devices to individuals or information systems requires employment of organization-defined out-of-band channels;SC-37[3]defines individuals or information systems to which physical delivery or electronic transmission of organization-defined information, information system components, or devices is to be achieved via employment of organization-defined out-of-band channels; andSC-37[4]employs organization-defined out-of-band channels for the physical delivery or electronic transmission of organization-defined information, information system components, or devices to organization-defined individuals or information systems.SC-37(1)ENSURE DELIVERY / TRANSMISSIONDetermine if the organization:SC-37(1)[1]defines security safeguards to be employed to ensure that only designated individuals or information systems receive specific information, information system components, or devices;SC-37(1)[2]defines individuals or information systems designated to receive specific information, information system components, or devices;SC-37(1)[3]defines information, information system components, or devices that only organization-defined individuals or information systems are designated to receive; andSC-37(1)[4]employs organization-defined security safeguards to ensure that only organization-defined individuals or information systems receive the organization-defined information, information system components, or devices.SYSTEM AND COMMUNICATIONS PROTECTIONSC-38OPERATIONS SECURITYDetermine if the organization:SC-38[1]defines operations security safeguards to be employed to protect key organizational information throughout the system development life cycle; andSC-38[2]employs organization-defined operations security safeguards to protect key organizational information throughout the system development life cycle.SYSTEM AND COMMUNICATIONS PROTECTIONSC-39PROCESS ISOLATIONDetermine if the information system maintains a separate execution domain for each executing process.SC-39(1)HARDWARE SEPARATIONDetermine if the information system implements underlying hardware separation mechanisms to facilitate process separation.SC-39(2)THREAD ISOLATIONDetermine if the information system:SC-39(2)[1]defines multi-threaded processing for which a separate execution domain is to be maintained for each thread in multi-threaded processing; andSC-39(2)[2]maintains a separate execution domain for each thread in organization-defined multi-threaded processing.SYSTEM AND COMMUNICATIONS PROTECTIONSC-40WIRELESS LINK PROTECTIONDetermine if:SC-40[1]the organization defines:SC-40[1][a]internal wireless links to be protected from particular types of signal parameter attacks;SC-40[1][b]external wireless links to be protected from particular types of signal parameter attacks;SC-40[2]the organization defines types of signal parameter attacks or references to sources for such attacks that are based upon exploiting the signal parameters of organization-defined internal and external wireless links; andSC-40[3]the information system protects internal and external organization-defined wireless links from organization-defined types of signal parameter attacks or references to sources for such attacks.SC-40(1)ELECTROMAGNETIC INTERFERENCEDetermine if:SC-40(1)[1]the organization defines level of protection to be employed against the effects of intentional electromagnetic interference; andSC-40(1)[2]the information system employs cryptographic mechanisms that achieve organization-defined level of protection against the effects of intentional electromagnetic interference.SC-40(2)REDUCE DETECTION POTENTIALDetermine if:SC-40(2)[1]the organization defines level of reduction to be achieved to reduce the detection potential of wireless links; andSC-40(2)[2]the information system implements cryptographic mechanisms to reduce the detection potential of wireless links to organization-defined level of reduction.SC-40(3)IMITATIVE OR MANIPULATIVE COMMUNICATIONS DECEPTIONDetermine if the information system implements cryptographic mechanisms to:SC-40(3)[1]identify wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters; andSC-40(3)[2]reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.SC-40(4)SIGNAL PARAMETER IDENTIFICATIONDetermine if:SC-40(4)[1]the organization defines wireless transmitters for which cryptographic mechanisms are to be implemented to prevent identification of such transmitters by using the transmitter signal parameters; andSC-40(4)[2]the information system implements cryptographic mechanisms to prevent the identification of organization-defined wireless transmitters by using the transmitter signal parameters.SYSTEM AND COMMUNICATIONS PROTECTIONSC-41PORT AND I/O DEVICE ACCESSDetermine if the organization:SC-41[1]defines connection ports or input/output devices to be physically disabled or removed on information systems or information system components;SC-41[2]defines information systems or information system components with organization-defined connection ports or input/output devices that are to be physically disabled or removed; andSC-41[3]physically disables or removes organization-defined connection ports or input/output devices on organization-defined information systems or information system components.SYSTEM AND COMMUNICATIONS PROTECTIONSC-42SENSOR CAPABILITY AND DATADetermine if:SC-42(a)SC-42(a)[1]the organization defines exceptions where remote activation of sensors is to be allowed;SC-42(a)[2]the information system prohibits the remote activation of sensors, except for organization-defined exceptions where remote activation of sensors is to be allowed;SC-42(b)SC-42(b)[1]the organization defines the class of users to whom an explicit indication of sensor use is to be provided; andSC-42(b)[2]the information system provides an explicit indication of sensor use to the organization-defined class of users.SC-42(1)REPORTING TO AUTHORIZED INDIVIDUALS OR ROLESDetermine if the organization:SC-42(1)[1]defines sensors to be used to collect data or information only reported to authorized individuals or roles; andSC-42(1)[2]ensures that the information system is configured so that data or information collected by the organization-defined sensors is only reported to authorized individuals or roles.SC-42(2)AUTHORIZED USEDetermine if the organization:SC-42(2)[1]defines measures to be employed so that data or information collected by sensors is only used for authorized purposes;SC-42(2)[2]defines sensors to be used to collect data or information for authorized purposes only; andSC-42(2)[3]employs organization-defined measures so that data or information collected by organization-defined sensors is only used for authorized purposes.SC-42(3)PROHIBIT USE OF DEVICESDetermine if the organization:SC-42(3)[1]defines environmental sensing capabilities to be prohibited from use in facilities, areas, or systems;SC-42(3)[2]defines facilities, areas, or systems where the use of devices possessing organization-defined environmental sensing capabilities is to be prohibited; andSC-42(3)[3]prohibits the use of devices possessing organization-defined environmental sensing capabilities in organization-defined facilities, areas, or systems.SYSTEM AND COMMUNICATIONS PROTECTIONSC-43USAGE RESTRICTIONSDetermine if the organization:SC-43(a)SC-43(a)[1]defines information system components for which usage restrictions and implementation guidance are to be established;SC-43(a)[2]establishes, for organization-defined information system components:SC-43(a)[2][a]usage restrictions based on the potential to cause damage to the information system if used maliciously;SC-43(a)[2][b]implementation guidance based on the potential to cause damage to the information system if used maliciously;SC-43(b)SC-43(b)[1]authorizes the use of such components within the information system;SC-43(b)[2]monitors the use of such components within the information system; andSC-43(b)[3]controls the use of such components within the information system.SYSTEM AND COMMUNICATIONS PROTECTIONSC-44DETONATION CHAMBERSDetermine if the organization:SC-44[1]defines information system, system component, or location where a detonation chamber capability is to be employed; andSC-44[2]employs a detonation chamber capability within organization-defined information system, system component, or location.SYSTEM AND INFORMATION INTEGRITYSI-1SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURESDetermine if the organization:SI-1(a)(1)SI-1(a)(1)[1]develops and documents a system and information integrity policy that addresses:SI-1(a)(1)[1][a]purpose;SI-1(a)(1)[1][b]scope;SI-1(a)(1)[1][c]roles;SI-1(a)(1)[1][d]responsibilities;SI-1(a)(1)[1][e]management commitment;SI-1(a)(1)[1][f]coordination among organizational entities;SI-1(a)(1)[1][g]compliance;SI-1(a)(1)[2]defines personnel or roles to whom the system and information integrity policy is to be disseminated;SI-1(a)(1)[3]disseminates the system and information integrity policy to organization-defined personnel or roles;SI-1(a)(2)SI-1(a)(2)[1]develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls;SI-1(a)(2)[2]defines personnel or roles to whom the procedures are to be disseminated;SI-1(a)(2)[3]disseminates the procedures to organization-defined personnel or roles;SI-1(b)(1)SI-1(b)(1)[1]defines the frequency to review and update the current system and information integrity policy;SI-1(b)(1)[2]reviews and updates the current system and information integrity policy with the organization-defined frequency;SI-1(b)(2)SI-1(b)(2)[1]defines the frequency to review and update the current system and information integrity procedures; andSI-1(b)(2)[2]reviews and updates the current system and information integrity procedures with the organization-defined frequency.SYSTEM AND INFORMATION INTEGRITYSI-2FLAW REMEDIATIONDetermine if the organization:SI-2(a)SI-2(a)[1]identifies information system flaws;SI-2(a)[2]reports information system flaws;SI-2(a)[3]corrects information system flaws;SI-2(b)SI-2(b)[1]tests software updates related to flaw remediation for effectiveness and potential side effects before installation;SI-2(b)[2]tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation;SI-2(c)SI-2(c)[1]defines the time period within which to install security-relevant software updates after the release of the updates;SI-2(c)[2]defines the time period within which to install security-relevant firmware updates after the release of the updates;SI-2(c)[3]installs software updates within the organization-defined time period of the release of the updates;SI-2(c)[4]installs firmware updates within the organization-defined time period of the release of the updates; andSI-2(d)incorporates flaw remediation into the organizational configuration management process.SI-2(1)CENTRAL MANAGEMENTDetermine if the organization centrally manages the flaw remediation process.SI-2(2)AUTOMATED FLAW REMEDIATION STATUSDetermine if the organization:SI-2(2)[1]defines a frequency to employ automated mechanisms to determine the state of information system components with regard to flaw remediation; andSI-2(2)[2]employs automated mechanisms with the organization-defined frequency to determine the state of information system components with regard to flaw remediation.SI-2(3)TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTION ACTIONSDetermine if the organization:SI-2(3)(a)measures the time between flaw identification and flaw remediation;SI-2(3)(b)SI-2(3)(b)[1]defines benchmarks for taking corrective actions; andSI-2(3)(b)[2]establishes organization-defined benchmarks for taking corrective actions.SI-2(4)AUTOMATED PATCH MANAGEMENT TOOLSSI-2[Withdrawn: Incorporated into SI-2].SI-2(5)AUTOMATIC SOFTWARE / FIRMWARE UPDATESDetermine if the organization:SI-2(5)[1]SI-2(5)[1][a]defines information system components requiring security-relevant software updates to be automatically installed;SI-2(5)[1][b]defines information system components requiring security-relevant firmware updates to be automatically installed;SI-2(5)[2]SI-2(5)[2][a]defines security-relevant software updates to be automatically installed to organization-defined information system components;SI-2(5)[2][b]defines security-relevant firmware updates to be automatically installed to organization-defined information system components;SI-2(5)[3]SI-2(5)[3][a]installs organization-defined security-relevant software updates automatically to organization-defined information system components; andSI-2(5)[3][b]installs organization-defined security-relevant firmware updates automatically to organization-defined information system components.SI-2(6)REMOVAL OF PREVIOUS VERSIONS OF SOFTWARE / FIRMWAREDetermine if the organization:SI-2(6)[1]SI-2(6)[1][a]defines software components to be removed after updated versions have been installed;SI-2(6)[1][b]defines firmware components to be removed after updated versions have been installed;SI-2(6)[2]SI-2(6)[2][a]removes organization-defined software components after updated versions have been installed; andSI-2(6)[2][b]removes organization-defined firmware components after updated versions have been installed.SYSTEM AND INFORMATION INTEGRITYSI-3MALICIOUS CODE PROTECTIONDetermine if the organization:SI-3(a)employs malicious code protection mechanisms to detect and eradicate malicious code at information system:SI-3(a)[1]entry points;SI-3(a)[2]exit points;SI-3(b)updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures (as identified in CM-1);SI-3(c)SI-3(c)[1]defines a frequency for malicious code protection mechanisms to perform periodic scans of the information system;SI-3(c)[2]defines action to be initiated by malicious protection mechanisms in response to malicious code detection;SI-3(c)[3]SI-3(c)[3](1)configures malicious code protection mechanisms to:SI-3(c)[3](1)[a]perform periodic scans of the information system with the organization-defined frequency;SI-3(c)[3](1)[b]perform real-time scans of files from external sources at endpoint and/or network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy;SI-3(c)[3](2)configures malicious code protection mechanisms to do one or more of the following:SI-3(c)[3](2)[a]block malicious code in response to malicious code detection;SI-3(c)[3](2)[b]quarantine malicious code in response to malicious code detection;SI-3(c)[3](2)[c]send alert to administrator in response to malicious code detection; and/orSI-3(c)[3](2)[d]initiate organization-defined action in response to malicious code detection;SI-3(d)SI-3(d)[1]addresses the receipt of false positives during malicious code detection and eradication; andSI-3(d)[2]addresses the resulting potential impact on the availability of the information system.SI-3(1)CENTRAL MANAGEMENTDetermine if the organization centrally manages malicious code protection mechanisms.SI-3(2)AUTOMATIC UPDATESDetermine if the information system automatically updates malicious code protection mechanisms.SI-3(3)NON-PRIVILEGED USERSAC-6(10)[Withdrawn: Incorporated into AC-6(10)].SI-3(4)UPDATES ONLY BY PRIVILEGED USERSDetermine if the information system updates malicious code protection mechanisms only when directed by a privileged user.SI-3(5)PORTABLE STORAGE DEVICESMP-7[Withdrawn: Incorporated into MP-7].SI-3(6)TESTING / VERIFICATIONDetermine if the organization:SI-3(6)(a)SI-3(6)(a)[1]defines a frequency to test malicious code protection mechanisms;SI-3(6)(a)[2]tests malicious code protection mechanisms with the organization-defined frequency by introducing a known benign, non-spreading test case into the information system;SI-3(6)(b)SI-3(6)(b)[1]verifies that detection of the test case occurs; andSI-3(6)(b)[2]verifies that associated incident reporting occurs.SI-3(7)NONSIGNATURE-BASED DETECTIONDetermine if the information system implements non signature-based malicious code detection mechanisms.SI-3(8)DETECT UNAUTHORIZED COMMANDSDetermine if:SI-3(8)[1]the organization defines unauthorized operating system commands to be detected by the information system;SI-3(8)[2]the organization defines information system hardware components for which organization-defined unauthorized operating system commands are to be detected through the kernel application programming interface;SI-3(8)[3]the information system detects organization-defined unauthorized operating system commands through the kernel application programming interface at organization-defined information system hardware components, and does one or more of the following:SI-3(8)[3][a]issues a warning;SI-3(8)[3][b]audits the command execution; and/orSI-3(8)[3][c]prevents the execution of the command.SI-3(9)AUTHENTICATE REMOTE COMMANDSDetermine if:SI-3(9)[1]the organization defines security safeguards to be implemented by the information system to authenticate organization-defined remote commands;SI-3(9)[2]the organization defines remote commands to be authenticated by organization-defined security safeguards; andSI-3(9)[3]the information system implements organization-defined security safeguards to authenticate organization-defined remote commands.SI-3(10)MALICIOUS CODE ANALYSISDetermine if the organization:SI-3(10)(a)SI-3(10)(a)[1]defines tools and techniques to be employed to analyze the characteristics and behavior of malicious code;SI-3(10)(a)[2]employs organization-defined tools and techniques to analyze the characteristics and behavior of malicious code; andSI-3(10)(b)incorporates the results from malicious code analysis into incident response and flaw remediate processes.SYSTEM AND INFORMATION INTEGRITYSI-4INFORMATION SYSTEM MONITORINGDetermine if the organization:SI-4(a)SI-4(a)(1)SI-4(a)(1)[1]defines monitoring objectives to detect attacks and indicators of potential attacks on the information system;SI-4(a)(1)[2]monitors the information system to detect, in accordance with organization-defined monitoring objectives,:SI-4(a)(1)[2][a]attacks;SI-4(a)(1)[2][b]indicators of potential attacks;SI-4(a)(2)monitors the information system to detect unauthorized:SI-4(a)(2)[1]local connections;SI-4(a)(2)[2]network connections;SI-4(a)(2)[3]remote connections;SI-4(b)SI-4(b)(1)defines techniques and methods to identify unauthorized use of the information system;SI-4(b)(2)identifies unauthorized use of the information system through organization-defined techniques and methods;SI-4(c)deploys monitoring devices:SI-4(c)[1]strategically within the information system to collect organization-determined essential information;SI-4(c)[2]at ad hoc locations within the system to track specific types of transactions of interest to the organization;SI-4(d)protects information obtained from intrusion-monitoring tools from unauthorized:SI-4(d)[1]access;SI-4(d)[2]modification;SI-4(d)[3]deletion;SI-4(e)heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;SI-4(f)obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations;SI-4(g)SI-4(g)[1]defines personnel or roles to whom information system monitoring information is to be provided;SI-4(g)[2]defines information system monitoring information to be provided to organization-defined personnel or roles;SI-4(g)[3]defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles;SI-4(g)[4]provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following:SI-4(g)[4][a]as needed; and/orSI-4(g)[4][b]with the organization-defined frequency.SI-4(1)SYSTEM-WIDE INTRUSION DETECTION SYSTEMDetermine if the organization:SI-4(1)[1]connects individual intrusion detection tools into an information system-wide intrusion detection system; andSI-4(1)[2]configures individual intrusion detection tools into an information system-wide intrusion detection system.SI-4(2)AUTOMATED TOOLS FOR REAL-TIME ANALYSISDetermine if the organization employs automated tools to support near real-time analysis of events.SI-4(3)AUTOMATED TOOL INTEGRATIONDetermine if the organization, for rapid response to attacks by enabling reconfiguration of intrusion detection tools in support of attack isolation and elimination, employs automated tools to integrate intrusion detection tools into:SI-4(3)[1]access control mechanisms; andSI-4(3)[2]flow control mechanisms.SI-4(4)INBOUND AND OUTBOUND COMMUNICATIONS TRAFFICDetermine if the organization:SI-4(4)[1]defines a frequency to monitor:SI-4(4)[1][a]inbound communications traffic for unusual or unauthorized activities or conditions;SI-4(4)[1][b]outbound communications traffic for unusual or unauthorized activities or conditions;SI-4(4)[2]monitors, with the organization-defined frequency:SI-4(4)[2][a]inbound communications traffic for unusual or unauthorized activities or conditions; andSI-4(4)[2][b]outbound communications traffic for unusual or unauthorized activities or conditions.SI-4(5)SYSTEM-GENERATED ALERTSDetermine if:SI-4(5)[1]the organization defines compromise indicators for the information system;SI-4(5)[2]the organization defines personnel or roles to be alerted when indications of compromise or potential compromise occur; andSI-4(5)[3]the information system alerts organization-defined personnel or roles when organization-defined compromise indicators occur.SI-4(6)RESTRICT NON-PRIVILEGED USERSAC-6(10)[Withdrawn: Incorporated into AC-6(10)].SI-4(7)AUTOMATED RESPONSE TO SUSPICIOUS EVENTSDetermine if:SI-4(7)[1]the organization defines incident response personnel (identified by name and/or by role) to be notified of detected suspicious events;SI-4(7)[2]the organization defines least-disruptive actions to be taken by the information system to terminate suspicious events;SI-4(7)[3]the information system notifies organization-defined incident response personnel of detected suspicious events; andSI-4(7)[4]the information system takes organization-defined least-disruptive actions to terminate suspicious events.SI-4(8)PROTECTION OF MONITORING INFORMATIONSI-4[Withdrawn: Incorporated into SI-4].SI-4(9)TESTING OF MONITORING TOOLSDetermine if the organization:SI-4(9)[1]defines a frequency to test intrusion-monitoring tools; andSI-4(9)[2]tests intrusion-monitoring tools with the organization-defined frequency.SI-4(10)VISIBILITY OF ENCRYPTED COMMUNICATIONSDetermine if the organization:SI-4(10)[1]defines encrypted communications traffic required to be visible to information system monitoring tools;SI-4(10)[2]defines information system monitoring tools to be provided access to organization-defined encrypted communications traffic; andSI-4(10)[3]makes provisions so that organization-defined encrypted communications traffic is visible to organization-defined information system monitoring tools.SI-4(11)ANALYZE COMMUNICATIONS TRAFFIC ANOMALIESDetermine if the organization:SI-4(11)[1]defines interior points within the system (e.g., subnetworks, subsystems) where communications traffic is to be analyzed;SI-4(11)[2]analyzes outbound communications traffic to discover anomalies at:SI-4(11)[2][a]the external boundary of the information system; andSI-4(11)[2][b]selected organization-defined interior points within the system.SI-4(12)AUTOMATED ALERTSDetermine if the organization:SI-4(12)[1]defines activities that trigger alerts to security personnel based on inappropriate or unusual activities with security implications; andSI-4(12)[2]employs automated mechanisms to alert security personnel of organization-defined activities that trigger alerts based on inappropriate or unusual activities with security implications.SI-4(13)ANALYZE TRAFFIC/EVENT PATTERNSDetermine if the organization:SI-4(13)(a)analyzes communications traffic/event patterns for the information system;SI-4(13)(b)develops profiles representing common traffic patterns and/or events;SI-4(13)(c)uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and false negatives.SI-4(14)WIRELESS INTRUSION DETECTIONDetermine if the organization employs a wireless intrusion detection system to:SI-4(14)[1]identify rogue wireless devices;SI-4(14)[2]detect attack attempts to the information system; andSI-4(14)[3]detect potential compromises/breaches to the information system.SI-4(15)WIRELESS TO WIRELINE COMMUNICATIONSDetermine if the organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.SI-4(16)CORRELATE MONITORING INFORMATIONDetermine if the organization correlates information from monitoring tools employed throughout the information system.SI-4(17)INTEGRATED SITUATIONAL AWARENESSDetermine if the organization, to achieve integrated, organization-wide situational awareness, correlates information from monitoring:SI-4(17)[1]physical activities;SI-4(17)[2]cyber activities; andSI-4(17)[3]supply chain activities.SI-4(18)ANALYZE TRAFFIC / COVERT EXFILTRATIONDetermine if the organization:SI-4(18)[1]defines interior points within the system (e.g., subsystems, subnetworks) where communications traffic is to be analyzed;SI-4(18)[2]to detect covert exfiltration of information, analyzes outbound communications traffic at:SI-4(18)[2][a]the external boundary of the information system (i.e., system perimeter); andSI-4(18)[2][b]organization-defined interior points within the system.SI-4(19)INDIVIDUALS POSING GREATER RISKDetermine if the organization:SI-4(19)[1]defines sources that identify individuals who pose an increased level of risk;SI-4(19)[2]defines additional monitoring to be implemented on individuals who have been identified by organization-defined sources as posing an increased level of risk; andSI-4(19)[3]implements organization-defined additional monitoring of individuals who have been identified by organization-defined sources as posing an increased level of risk.SI-4(20)PRIVILEGED USERSDetermine if the organization:SI-4(20)[1]defines additional monitoring to be implemented on privileged users; andSI-4(20)[2]implements organization-defined additional monitoring of privileged users;SI-4(21)PROBATIONARY PERIODSDetermine if the organization:SI-4(21)[1]defines additional monitoring to be implemented on individuals during probationary periods;SI-4(21)[2]defines probationary period during which organization-defined additional monitoring of individuals is to be performed; andSI-4(21)[3]implements organization-defined additional monitoring of individuals during organization-defined probationary period.SI-4(22)UNAUTHORIZED NETWORK SERVICESDetermine if:SI-4(22)[1]the organization defines authorization or approval processes for network services;SI-4(22)[2]the organization defines personnel or roles to be alerted upon detection of network services that have not been authorized or approved by organization-defined authorization or approval processes;SI-4(22)[3]the information system detects network services that have not been authorized or approved by organization-defined authorization or approval processes and does one or more of the following:SI-4(22)[3][a]audits; and/orSI-4(22)[3][b]alerts organization-defined personnel or roles.SI-4(23)HOST-BASED DEVICESDetermine if the organization:SI-4(23)[1]defines host-based monitoring mechanisms to be implemented;SI-4(23)[2]defines information system components where organization-defined host-based monitoring is to be implemented; andSI-4(23)[3]implements organization-defined host-based monitoring mechanisms at organization-defined information system components.SI-4(24)INDICATORS OF COMPROMISEDetermine if the information system:SI-4(24)[1]discovers indicators of compromise;SI-4(24)[2]collects indicators of compromise;SI-4(24)[3]distributes indicators of compromise; andSI-4(24)[4]uses indicators of compromise.SYSTEM AND INFORMATION INTEGRITYSI-5SECURITY ALERTS, ADVISORIES, AND DIRECTIVESDetermine if the organization:SI-5(a)SI-5(a)[1]defines external organizations from whom information system security alerts, advisories and directives are to be received;SI-5(a)[2]receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis;SI-5(b)generates internal security alerts, advisories, and directives as deemed necessary;SI-5(c)SI-5(c)[1]defines personnel or roles to whom security alerts, advisories, and directives are to be provided;SI-5(c)[2]defines elements within the organization to whom security alerts, advisories, and directives are to be provided;SI-5(c)[3]defines external organizations to whom security alerts, advisories, and directives are to be provided;SI-5(c)[4]disseminates security alerts, advisories, and directives to one or more of the following:SI-5(c)[4][a]organization-defined personnel or roles;SI-5(c)[4][b]organization-defined elements within the organization; and/orSI-5(c)[4][c]organization-defined external organizations; andSI-5(d)SI-5(d)[1]implements security directives in accordance with established time frames; orSI-5(d)[2]notifies the issuing organization of the degree of noncompliance.SI-5(1)AUTOMATED ALERTS AND ADVISORIESDetermine if the organization employs automated mechanisms to make security alert and advisory information available throughout the organization.SYSTEM AND INFORMATION INTEGRITYSI-6SECURITY FUNCTION VERIFICATIONDetermine if:SI-6(a)SI-6(a)[1]the organization defines security functions to be verified for correct operation;SI-6(a)[2]the information system verifies the correct operation of organization-defined security functions;SI-6(b)SI-6(b)[1]the organization defines system transitional states requiring verification of organization-defined security functions;SI-6(b)[2]the organization defines a frequency to verify the correct operation of organization-defined security functions;SI-6(b)[3]the information system performs this verification one or more of the following:SI-6(b)[3][a]at organization-defined system transitional states;SI-6(b)[3][b]upon command by user with appropriate privilege; and/orSI-6(b)[3][c]with the organization-defined frequency;SI-6(c)SI-6(c)[1]the organization defines personnel or roles to be notified of failed security verification tests;SI-6(c)[2]the information system notifies organization-defined personnel or roles of failed security verification tests;SI-6(d)SI-6(d)[1]the organization defines alternative action(s) to be performed when anomalies are discovered;SI-6(d)[2]the information system performs one or more of the following actions when anomalies are discovered:SI-6(d)[2][a]shuts the information system down;SI-6(d)[2][b]restarts the information system; and/orSI-6(d)[2][c]performs organization-defined alternative action(s).SI-6(1)NOTIFICATION OF FAILED SECURITY TESTSSI-6[Withdrawn: Incorporated into SI-6].SI-6(2)AUTOMATION SUPPORT FOR DISTRIBUTED TESTINGDetermine if the information system implements automated mechanisms to support the management of distributed security testing.SI-6(3)REPORT VERIFICATION RESULTSDetermine if the organization:SI-6(3)[1]defines personnel or roles designated to receive the results of security function verification; andSI-6(3)[2]reports the results of security function verification to organization-defined personnel or roles.SYSTEM AND INFORMATION INTEGRITYSI-7SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITYDetermine if the organization:SI-7[1]SI-7[1][a]defines software requiring integrity verification tools to be employed to detect unauthorized changes;SI-7[1][b]defines firmware requiring integrity verification tools to be employed to detect unauthorized changes;SI-7[1][c]defines information requiring integrity verification tools to be employed to detect unauthorized changes;SI-7[2]employs integrity verification tools to detect unauthorized changes to organization-defined:SI-7[2][a]software;SI-7[2][b]firmware; andSI-7[2][c]information.SI-7(1)INTEGRITY CHECKSDetermine if:SI-7(1)[1]the organization defines:SI-7(1)[1][a]software requiring integrity checks to be performed;SI-7(1)[1][b]firmware requiring integrity checks to be performed;SI-7(1)[1][c]information requiring integrity checks to be performed;SI-7(1)[2]the organization defines transitional states or security-relevant events requiring integrity checks of organization-defined:SI-7(1)[2][a]software;SI-7(1)[2][b]firmware;SI-7(1)[2][c]information;SI-7(1)[3]the organization defines a frequency with which to perform an integrity check of organization-defined:SI-7(1)[3][a]software;SI-7(1)[3][b]firmware;SI-7(1)[3][c]information;SI-7(1)[4]the information system performs an integrity check of organization-defined software, firmware, and information one or more of the following:SI-7(1)[4][a]at startup;SI-7(1)[4][b]at organization-defined transitional states or security-relevant events; and/orSI-7(1)[4][c]with the organization-defined frequency.SI-7(2)AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONSDetermine if the organization:SI-7(2)[1]defines personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification; andSI-7(2)[2]employs automated tools that provide notification to organization-defined personnel or roles upon discovering discrepancies during integrity verification.SI-7(3)CENTRALLY-MANAGED INTEGRITY TOOLSDetermine if the organization employs centrally managed integrity verification tools.SI-7(4)TAMPER-EVIDENT PACKAGINGSA-12[Withdrawn: Incorporated into SA-12].SI-7(5)AUTOMATED RESPONSE TO INTEGRITY VIOLATIONSDetermine if:SI-7(5)[1]the organization defines security safeguards to be implemented when integrity violations are discovered;SI-7(5)[2]the information system automatically performs one or more of the following actions when integrity violations are discovered:SI-7(5)[2][a]shuts the information system down;SI-7(5)[2][b]restarts the information system; and/orSI-7(5)[2][c]implements the organization-defined security safeguards.SI-7(6)CRYPTOGRAPHIC PROTECTIONDetermine if the information system employs cryptographic mechanism to detect unauthorized changes to:SI-7(6)[1]software;SI-7(6)[2]firmware; andSI-7(6)[3]information.SI-7(7)INTEGRATION OF DETECTION AND RESPONSEDetermine if the organization:SI-7(7)[1]defines unauthorized security-relevant changes to the information system; andSI-7(7)[2]incorporates the detection of unauthorized organization-defined security-relevant changes to the information system into the organizational incident response capability.SI-7(8)AUDITING CAPABILITY FOR SIGNIFICANT EVENTSDetermine if:SI-7(8)[1]the organization defines personnel or roles to be alerted upon detection of a potential integrity violation;SI-7(8)[2]the organization defines other actions to be taken upon detection of a potential integrity violation;SI-7(8)[3]SI-7(8)[3][a]the information system, upon detection of a potential integrity violation, provides the capability to audit the event;SI-7(8)[3][b]the information system, upon detection of a potential integrity violation, initiates one or more of the following actions:SI-7(8)[3][b][1]generates an audit record;SI-7(8)[3][b][2]alerts current user;SI-7(8)[3][b][3]alerts organization-defined personnel or roles; and/orSI-7(8)[3][b][4]organization-defined other actions.SI-7(9)VERIFY BOOT PROCESSDetermine if:SI-7(9)[1]the organization defines devices requiring integrity verification of the boot process; andSI-7(9)[2]the information system verifies the integrity of the boot process of organization-defined devices.SI-7(10)PROTECTION OF BOOT SOFTWAREDetermine if:SI-7(10)[1]the organization defines security safeguards to be implemented to protect the integrity of boot firmware in devices;SI-7(10)[2]the organization defines devices requiring organization-defined security safeguards to be implemented to protect the integrity of boot firmware; andSI-7(10)[3]the information system implements organization-defined security safeguards to protect the integrity of boot firmware in organization-defined devices.SI-7(11)CONFINED ENVIRONMENTS WITH LIMITED PRIVILEGESDetermine if the organization:SI-7(11)[1]defines user-installed software to be executed in a confined physical or virtual machine environment with limited privileges; andSI-7(11)[2]requires that organization-defined user-installed software execute in a confined physical or virtual machine environment with limited privileges.SI-7(12)INTEGRITY VERIFICATIONDetermine if the organization:SI-7(12)[1]defines user-installed software requiring integrity verification prior to execution; andSI-7(12)[2]requires that the integrity of organization-defined user-installed software be verified prior to execution.SI-7(13)CODE EXECUTION IN PROTECTED ENVIRONMENTSDetermine if the organization:SI-7(13)[1]allows execution of binary or machine-executable code obtained from sources with limited or no warranty;SI-7(13)[2]allows execution of binary or machine-executable code without the provision of source code only in confined physical or virtual machines;SI-7(13)[3]defines personnel or roles required to provide explicit approval to allow execution of binary or machine-executable code; andSI-7(13)[4]allows execution of binary or machine-executable code with the explicit approval of organization-defined personnel or roles.SI-7(14)BINARY OR MACHINE EXECUTABLE CODEDetermine if the organization:SI-7(14)(a)SI-7(14)(a)[1]prohibits the use of binary or machine-executable code from sources with limited or no warranty;SI-7(14)(a)[2]prohibits the use of binary or machine-executable code without the provision of source code;SI-7(14)(b)SI-7(14)(b)[1]provides exceptions to the source code requirement only for compelling mission/operational requirements; andSI-7(14)(b)[2]provides exceptions to the source code requirement only with the approval of the authorizing official.SI-7(15)CODE AUTHENTICATIONDetermine if:SI-7(15)[1]SI-7(15)[1][a]the organization defines software components to be authenticated by cryptographic mechanisms prior to installation;SI-7(15)[1][b]the organization defines firmware components to be authenticated by cryptographic mechanisms prior to installation;SI-7(15)[2]SI-7(15)[2][a]the information system implements cryptographic mechanisms to authenticate organization-defined software components prior to installation; andSI-7(15)[2][b]the information system implements cryptographic mechanisms to authenticate organization-defined firmware components prior to installation.SI-7(16)TIME LIMIT ON PROCESS EXECUTION WITHOUT SUPERVISIONDetermine if the organization:SI-7(16)[1]defines a time period as the maximum period allowed for processes to execute without supervision; andSI-7(16)[2]does not allow processes to execute without supervision for more than the organization-defined time period.SYSTEM AND INFORMATION INTEGRITYSI-8SPAM PROTECTIONDetermine if the organization:SI-8(a)employs spam protection mechanisms:SI-8(a)[1]at information system entry points to detect unsolicited messages;SI-8(a)[2]at information system entry points to take action on unsolicited messages;SI-8(a)[3]at information system exit points to detect unsolicited messages;SI-8(a)[4]at information system exit points to take action on unsolicited messages; andSI-8(b)updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.SI-8(1)CENTRAL MANAGEMENTDetermine if the organization centrally manages spam protection mechanisms.SI-8(2)AUTOMATIC UPDATESDetermine if the information system automatically updates spam protection mechanisms.SI-8(3)CONTINUOUS LEARNING CAPABILITYDetermine if the information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.SYSTEM AND INFORMATION INTEGRITYSI-9INFORMATION INPUT RESTRICTIONSAC-2AC-3AC-5AC-6[Withdrawn: Incorporated into AC-2, AC-3, AC-5, AC-6].SYSTEM AND INFORMATION INTEGRITYSI-10INFORMATION INPUT VALIDATIONDetermine if:SI-10[1]the organization defines information inputs requiring validity checks; andSI-10[2]the information system checks the validity of organization-defined information inputs.SI-10(1)MANUAL OVERRIDE CAPABILITYDetermine if:SI-10(1)(a)SI-10(1)(a)[1]the organization defines information inputs for which the information system provides a manual override capability for input validation;SI-10(1)(a)[2]the information system provides a manual override capability for input validation of organization-defined inputs;SI-10(1)(b)SI-10(1)(b)[1]the organization defines authorized individuals who can use the manual override capability;SI-10(1)(b)[2]the information system restricts the use of manual override capability to organization-defined authorized individuals; andSI-10(1)(c)the information system audits the use of the manual override capability.SI-10(2)REVIEW / RESOLUTION OF ERRORSDetermine if the organization:SI-10(2)[1]defines a time period within which input validation errors are to be reviewed and resolved; andSI-10(2)[2]ensures that input validation errors are reviewed and resolved within the organization-defined time period.SI-10(3)PREDICTABLE BEHAVIORDetermine if the information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.SI-10(4)REVIEW / TIMING INTERACTIONSDetermine if the organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs.SI-10(5)RESTRICT INPUTS TO TRUSTED SOURCES AND APPROVED FORMATSDetermine if the organization:SI-10(5)[1]defines trusted sources to which the use of information inputs is to be restricted;SI-10(5)[2]defines formats to which the use of information inputs is to be restricted;SI-10(5)[3]restricts the use of information inputs to:SI-10(5)[3][a]organization-defined trust sources; and/orSI-10(5)[3][b]organization-defined formats.SYSTEM AND INFORMATION INTEGRITYSI-11ERROR HANDLINGDetermine if:SI-11(a)the information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries;SI-11(b)SI-11(b)[1]the organization defines personnel or roles to whom error messages are to be revealed; andSI-11(b)[2]the information system reveals error messages only to organization-defined personnel or roles.SYSTEM AND INFORMATION INTEGRITYSI-12INFORMATION HANDLING AND RETENTIONDetermine if the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements:SI-12[1]handles information within the information system;SI-12[2]handles output from the information system;SI-12[3]retains information within the information system; andSI-12[4]retains output from the information system.SYSTEM AND INFORMATION INTEGRITYSI-13PREDICTABLE FAILURE PREVENTIONDetermine if the organization:SI-13(a)SI-13(a)[1]defines information system components for which mean time to failure (MTTF) should be determined;SI-13(a)[2]determines MTTF for organization-defined information system components in specific environments of operation;SI-13(b)SI-13(b)[1]defines MTTF substitution criteria to be used as a means to exchange active and standby components;SI-13(b)[2]provides substitute information system components at organization-defined MTTF substitution criteria; andSI-13(b)[3]provides a means to exchange active and standby components at organization-defined MTTF substitution criteria.SI-13(1)TRANSFERRING COMPONENT RESPONSIBILITIESDetermine if the organization:SI-13(1)[1]defines maximum fraction or percentage of mean time to failure within which to transfer the responsibilities of an information system component that is out of service to a substitute component; andSI-13(1)[2]takes the information system component out of service by transferring component responsibilities to substitute components no later than organization-defined fraction or percentage of mean time to failure.SI-13(2)TIME LIMIT ON PROCESS EXECUTION WITHOUT SUPERVISIONSI-7(16)[Withdrawn: Incorporated into SI-7(16)].SI-13(3)MANUAL TRANSFER BETWEEN COMPONENTSDetermine if the organization:SI-13(3)[1]defines the minimum frequency with which the organization manually initiates a transfer between active and standby information system components if the mean time to failure exceeds the organization-defined time period;SI-13(3)[2]defines the time period that the mean time to failure must exceed before the organization manually initiates a transfer between active and standby information system components; andSI-13(3)[3]manually initiates transfers between active and standby information system components at the organization-defined frequency if the mean time to failure exceeds the organization-defined time period.SI-13(4)STANDBY COMPONENT INSTALLATION / NOTIFICATIONDetermine if the organization:SI-13(4)(a)SI-13(4)(a)[1]defines a time period for standby information system components to be successfully and transparently installed when information system component failures are detected;SI-13(4)(a)[2]ensures that the standby components are successfully and transparently installed within the organization-defined time period;SI-13(4)(b)SI-13(4)(b)[1]defines an alarm to be activated when information system component failures are detected;SI-13(4)(b)[2]if information system component failures are detected, does one or more of the following:SI-13(4)(b)[2][a]activates the organization-defined alarm; and/orSI-13(4)(b)[2][b]automatically shuts down the information system.SI-13(5)FAILOVER CAPABILITYDetermine if the organization:SI-13(5)[1]defines failover capability to be provided for the information system;SI-13(5)[2]provides one of the following organization-defined failover capabilities for the information system:SI-13(5)[2][a]real-time failover capability; and/orSI-13(5)[2][b]near real-time failover capability.SYSTEM AND INFORMATION INTEGRITYSI-14NON-PERSISTENCEDetermine if the organization:SI-14[1]defines non-persistent information system components and services to be implemented;SI-14[2]SI-14[2][a]defines a frequency to terminate non-persistent organization-defined components and services that are initiated in a known state;SI-14[2][b]implements non-persistent organization-defined information system components and services that are initiated in a known state and terminated one or more of the following:SI-14[2][b][1]upon end of session of use; and/orSI-14[2][b][2]periodically at the organization-defined frequency.SI-14(1)REFRESH FROM TRUSTED SOURCESDetermine if the organization:SI-14(1)[1]defines trusted sources from which software and data employed during information system component and service refreshes are to be obtained; andSI-14(1)[2]ensures that software and data employed during information system component and service refreshes are obtained from organization-defined trusted sources.SYSTEM AND INFORMATION INTEGRITYSI-15INFORMATION OUTPUT FILTERINGDetermine if:SI-15[1]the organization defines software programs and/or applications whose information output requires validation to ensure that the information is consistent with the expected content; andSI-15[2]the information system validates information output from organization-defined software programs and/or applications to ensure that the information is consistent with the expected content.SYSTEM AND INFORMATION INTEGRITYSI-16MEMORY PROTECTIONDetermine if:SI-16[1]the organization defines security safeguards to be implemented to protect information system memory from unauthorized code execution; andSI-16[2]the information system implements organization-defined security safeguards to protect its memory from unauthorized code execution.SYSTEM AND INFORMATION INTEGRITYSI-17FAIL-SAFE PROCEDURESDetermine if:SI-17[1]the organization defines fail-safe procedures to be implemented when organization-defined failure conditions occur;SI-17[2]the organization defines failure conditions resulting in organization-defined fail-safe procedures being implemented when such conditions occur; andSI-17[3]the information system implements organization-defined fail-safe procedures when organization-defined failure conditions occur.